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Chapter 1 



INTRODUCTION 



Hardware verification is the process of checking whether a design conforms 
to its specifications of functionality and timing. In today’s design processes it 
becomes more and more important. Very large scale integrated (VLSI) circuits 
and the resulting digital systems have conquered a place in almost all areas 
of our life, even in security sensitive applications. Complex digital systems 
control airplanes, have been used in banks and on intensive-care units. Hence, 
the demand for error-free designs is more important than ever. In addition, 
economic reasons underline this demand as well. The design and production 
process of present day VLSI-circuits is highly time- and cost-intensive. More- 
over, it is nearly impossible to repair integrated circuits. Thus, it is desirable 
to detect design errors early in the design process and not just after producing 
the prototype chip. All these facts are reflected by developing and produc- 
tion statistics of present day companies. For example, Infineon Technologies 
[118] assumed that about 60% to 80% of the overall design time was spent for 
verification in 2000. Other sources cite the 3-to-l head count ratio between 
verification engineers and logic designers. This shows that verifying logical 
correctness of the design of hardware systems is a major gate to the problem of 
time-to-market (cf. [113]). 

With the chip complexity constantly increasing, the difficulty as well as the im- 
portance of functional verification of new product designs has been increased. 
It is not only more important to get error-free designs. Moreover, it becomes 
an increasingly difficult task for a team of human designers to carry out a full 
design without errors. The traditional training of new verification engineers 
has to be adapted to the new situation. New skills are necessary. As men- 
tioned before, it is necessary to find design errors early in the design process. 
It is important to develop skills to handle design processes which may lead 
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into functionally incorrect designs. For these reasons, nearly all major uni- 
versities offer lectures on basic verification techniques such as propositional 
temporal logic, model checking, equivalence checking, and simulation cover- 
age measures. The present book is designed as a textbook covering one of the 
most important aspects in the verification process — equivalence checking of 
Boolean circuits. 

1. Tasks in verification processes 

The validation process of a design mainly consists of three tasks in today’s 
verification processes: 

At first, the designers have to give a formal specification which describes the 
desired behavior of the circuit. Usually, such a specification is given by a set of 
properties, each of them expressed in a propositional temporal logic [48]. The 
designers have to assure themselves of the completeness of their specification, 
i.e., they have to answer the question ’What properties do we really want to 
prove about this circuit?’ . All relevant aspects of a design have to be covered by 
the specification. This ’Have we written enough properties? ’-problem is one 
subject of current international research [28, 38, 71]. 

After having designed a first implementation of the circuit, which is usually 
given at the register-transfer level, it has to be proven that the specified properfies 
are safisfied by fhe implemenfafion, i.e., fhaf fhe design is logical correcf. This is 
done by applying a number of innovafive fools and mefhodologies, for example, 
symbolic model checking [30, 100], bounded model checking [10], and fesf 
environmenfs (cf. [8]). 

Sfarfing from a regisler-lransfer-level descripfion, a design is synfhesized fo 
a gale level neflisf. This neflisf is fhen subjecf fo layouf synfhesis. Afler all, 
fhere is almosf no design where nol some manual correcfions need fo be done. 
During many years, if has been argued fhaf synfhesis is correcf by conslruc- 
lion, bul experience shows fhaf Ihis is nol always fhe case [118]. Today’s 
synfhesis systems are huge and complicaled soflware conslrucls. We cannol 
assume fhaf fhe correclness of such a system can ever be guaranleed or even be 
proven. Inslead of allempfing fo formally verify fhe design automation tools, a 
more practical way is fo formally check fhaf a circuil synfhesized by a design 
aulomafion tool is funclionally equivalenl fo fhe initial regisler-lransfer-level 
description. This is fhe lask of equivalence checking, namely proving fhaf Iwo 
given circuils are equivalenl, i.e., fhaf fhey have fhe same inpul/oupul behavior. 
From fhe induslrial poinl of view, equivalence checking is fhe mosl imporlanl 
formal verification technique being employed in loday’s design flows. 
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2. Equivalence checking 

Equivalence checking is the problem of cheeking whether two circuit descrip- 
tions specify the same behavior. 

In order to compare the functionality of two circuits, we need to know the 
relation between their interfaces. If such a one-to-one correspondence between 
the primary inputs and outputs of the two circuits which have to be compared is 
not given, it has to be computed before the test for equivalence can be run. This 
problem is called Permutation Independent Boolean Comparison Problem in 
literature [106, 108, 109]. We investigate it in Chapter 8. 

2.1 Equivalence checking of comhinational circuits 

Let us assume that the two combinational circuits F and G need to be tested for 
functional equivalence. When the relation between the interfaces of these two 
circuits is given, then we have to decide whether the circuits F and G implement 
the same Boolean function. More formally, the equivalence checking problem 
is defined as follows: 

Given two representations d f and dg of two Boolean functions /, g : 

{0, 1}" ^ {0, 1}™, decide whether the Boolean functions f and g are 
equal, i.e., whether f{a) = g{a) holds for all a G {0, 1}”. 

In general, this problem is co-NP hard [53]. Just assume that df is a Boolean 
formula and g is the constant Boolean function 0. Then, equivalence checking 
means to decide whether df describes the constant Boolean function 0. This 
problem is the complemented, well-known SAT problem for Boolean formu- 
lae which is known to be NP hard. However, the complexity of equivalence 
checking depends on the representation type chosen. For instance, equivalence 
checking applied to reduced ordered binary decision diagrams (BDDs) [20] 
or multiplicative binary moment diagrams (*BMDs) [22, 23], which describe 
pseudo-Boolean functions, can be done in constant time. 

One of the basic approaches to prove functional equivalence of two combi- 
national circuits is to transform both circuits into canonical forms. In most 
applications, these are reduced ordered BDDs or *BMDs since the size of other 
canonical forms of Boolean functions, as for example minterm forms, are usu- 
ally much larger than the corresponding reduced ordered BDDs and *BMDs. 
We discuss this problem in further details in Chapter 3. After the construction 
of the reduced ordered BDDs or *BMDs of the functions under consideration, 
the equivalence check can be performed by checking whether the two canonical 
representations are equal. This can be done in constant time. However, there 
are some major bottlenecks to this approach which have to be considered. We 
are going to handle this in detail in Chapter 4. Let us discuss them shortly. 
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Some functions cannot be efficiently represented by BDDs or *BMDs. Bryant 
[20] proved that reduced ordered BDDs for integer multipliers are of expo- 
nential size. The representational power of *BMDs is too weak to efficiently 
represent integer division [131]. Obviously, when the functional behavior of 
a Boolean circuit cannot be efficiently represented by a canonical form, the 
equivalence problem has to be solved with other approaches. These are auto- 
matic test pattern generation methods, SAT solving techniques, or structural 
equivalence checking. For a description of these methods we refer to Chapter 5 
and Chapter 6. 

Even if the functional behavior of a Boolean circuit can efficiently be repre- 
sented by a BDD or a *BMD, the memory requirements may grow exponentially 
during the synthesis of a decision diagram. To overcome this difficulty Hul- 
gaardAVilliams/Andersen [64] and Hett [60], for example, introduced a new 
data structure for representing and manipulating Boolean functions. It is called 
binary expression diagram (BED). BEDs are an extension of BDDs and they 
are capable of representing any Boolean circuit in linear space. BEDs can be 
seen as an intermediate representation between circuits which are compact and 
BDDs which are canonical. We discuss them in Chapter 4 as well. 

Most of the papers published in literature handle the problem of proving that an 
error-free circuit is error-free. Eor example, Hamaguchi et.al. [57] experimen- 
tally showed that error-free 64-bit integer multipliers of several types can be 
verified fo be error-free in some hours using fhe backward consfrucfion mefhod. 
Buf fhere is no evidence fhaf & faulty 64-bif infeger mulfiplier can efficienfly be 
proven fo be faulfy. Ideas of how fo affack fhis problem have been discussed in 
[74, 145]. We address fhem in Chapter 4, loo. 

A furlher imporlanl fool in formal verificalion is Black Box Equivalence Check- 
ing [129, 130] which occurs when fhe specificalion is known, buf only parls of 
fhe implemenlalion have been finished or known. If enables fhe use of verifi- 
calion lechniques in early slages of fhe design. Design errors can be delecled 
already when only a parlial implemenlalion is on hand. The basic idea is fo com- 
bine parls of fhe implemenlalion which are nol yel finished info black boxes. If 
fhe implemenlalion differs from fhe specificalion for all possible subslilulions 
of fhe black boxes, a design error exisls. This is fhe lopic of Chapter 7. 

2.2 Equivalence checking of sequential circuits 

Digilal sequenlial circuils are modelled as finile-slate machines (ESM). There 
is a well-developed Iheory for analyzing ESMs, including checking Iheir equiv- 
alence [75] which is based on a (cosily) slale space Iraversal. However, in mosl 
cases equivalence checking is applied fo sequenlial circuils lo show lhal cerlain 
circuil modilicalions have nol altered Ihe functional behavior of fhe circuit 
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Often, the state eneoding of the two eireuits remains the same. In this speeial 
case, it is not always necessary to perform a costly state space traversal. Since 
the output and state transition functions are combinational circuits, it is some- 
times sufficient to compare these functions. For that, the correspondence of 
the latches of the two sequential circuits to be checked has to be known. Un- 
fortunately, there are several cases in which the correspondence may get lost. 
During synthesis huge hierarchical designs lead to long hierarchical names for 
internal state variables. Since most backend tools have severe restrictions on 
name lengths, the synthesizer shortens these internal names accordingly. In 
particular, if VHDL generics are involved, the names may be changed such that 
not even a human is able to establish the correspondence. Here the verifier has 
fo be able fo esfablish fhe lafch correspondence based on fhe individual ouf- 
puf and slate Iransilion funclions fo avoid lime consuming slale space Iraversal 
[118]. In Chapter 10 we are going fo inlroduce some melhods fo handle Ihis 
problem. 

3. Structure of the book 

Lei us give a shorl summary of Ihe conlenls of Ibis book lo help you lo find Ihe 
differenl topics more easily. 

In Pari I, we review some basic definitions, notions, and nolalions lhal we use 
Ihroughoul Ihe book (Chapter 2). Then we lurn our allenlion to represenlalions 
of Boolean funclions (Chapter 3). We discuss advanlages and disadvanlages 
of Ihe differenl lypes of represenlalions wilh respecl to formal equivalence 
checking. 

Pari II gives a delailed inlroduclion into Ihe principles and melhods of equiv- 
alence checking of combinational circuits. Chapter 4 presenls Ihe approach of 
proving functional equivalence of Iwo combinational circuils by Iransforming 
bolh circuils into canonical forms, normally reduced ordered BDDs or reduced 
ordered *BMDs [20, 23, 57]. Furlhermore, il handles Ihe approach of Hul- 
gaard el.al. [64] and Hell [60] mentioned above and discusses Ihe problem of 
proving a faulty combinational circuil to be faulty [74, 145]. Chapter 5 is de- 
voted to equivalence checking tools based on automatic lesl pallern generation 
and satisfiability of conjunctive normal forms. Since Ihe equivalence checking 
tools based on canonical forms as well as ATPG- or SAT-based equivalence 
checking tools often fail when applied to large circuil descriptions, Ihe circuils 
to be compared have to be simplified Ihen. Approaches which fry to simplify 
Ihe equivalence checking problem by exploiting slruclural similarities of Ihe 
circuils to be compared are presented in Chapter 6 [9, 16, 77]. The problem 
of Black Box Equivalence Checking is addressed by our guesl aulhors Bernd 
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Becker and Christoph Scholl in Chapter 7. Finally, Permutation Independent 
Boolean Comparison is handled in Chapter 8. 

In Part III, we are going to give a detailed introduction to equivalence checking 
of sequential circuits. We begin with formal basics in Chapter 9. Furthermore, 
we are going to dwell on state space traversal, which is the basis of most of the 
general equivalence checking methods for sequential circuits, in this chapter 
as well. Chapter 10 deals with the latch correspondence problem which is the 
problem of finding the correspondence between the latches of the sequential 
circuits under comparison assuming that the state encodings of both circuits are 
the same. 

4. The audience 

This book is designed as a textbook. It reviews the basic ideas of current 
formal equivalence checking methods for combinational and sequential circuits 
based on canonical representations of Boolean functions, satisfiability solving, 
automatic test pattern generation, and structural methods. We wish to address 
a broad audience. Equivalence Checking of Digital Circuits is going to serve 
as 



■ a textbook for upper-level undergraduate and graduate students in electrical 
and computer engineering and 

■ as a reference for circuit design engineers. 

Enjoy it! 



Contact address: molitor@acm.org 




I 

FUNDAMENTALS 




Since this book is particularly intended to be used as a self-contained text- 
book, we start with basic definitions and elementary considerations regarding 
to Boolean functions. The concept plays a central role in formal verification 
of circuits as Boolean functions are usually used to model combinational cir- 
cuits. The other central concept, finite state machines which are used to model 
sequential circuits, is going to be presented in Part III. 

After the introduction of the basic notions and notations which we are going 
to use throughout the book, we will turn our attention to representations of 
Boolean functions in Chapter 3. We discuss space requirements and operational 
complexities of the different types of representations which are truth tables. 
Boolean expressions, cubes, networks, and decision diagrams. Here, we are 
specially interested in those operations occurring during formal equivalence 
checking. 
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Chapter 2 



PRELIMINARIES 



This chapter briefly reviews the basic concepts of switching theory. This sum- 
mary is not complete; only those topics are considered which are of relevance 
for the understanding of later chapters. 

1. Basic notations 

First of all, we introduce basic notations which we are going to use in the book. 
We mainly use the notations introduced in [36]. 

We use braces (i.e., {}) to denote unordered sets and parentheses (i.e., [ ]) to 
denote ordered sets. For example, an unordered set of three elements is denoted 
by M = {a, b, c}. The cardinality of a set M is the number of its elements. It 
is denoted by |M|. Given a set M, a partition of M is a set of disjoint subsets 
of M whose union is M. For example. Pm = {{6}, {a, c}} is apartition of our 
example set. Set membership of an element is denoted by G, set inclusion by 
C or C. The symbol V is the universal quantifier, the symbol 3 the existential 
quantifier. Implication is denoted by and co— implication by <;=^. The 
symbol : means such that. 

Z = {. . . , —2, —1, 0, 1,2,.. .} denotes the set of integers. N = {1,2, 3, . . .} 
denotes the set of natural numbers. For a fixed n > 1, N„ denotes the subset 
(1, 2, 3, . . . , n} C N. With No we denote the set of non-negative integers 
10,1,2,3,...}. 

The Cartesian product of two sets X and Y, denoted hy X xY, is the set of 
all ordered pairs (x, y), such that x G X and y ^ Y. 
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A relation R between two sets X and y is a subset oi X xY. We write xRy 
when X £ X, y £ Y and (x, y) £ R. An equivalence relation is a subset R of 
X X X which is reflexive, i.e., 

Mx £ X : xRx, 

symmetric, i.e., 

Vx, y £ X : xRy yRx, 

and transitive, i.e., 

Vx, y,z £ X : {xRy and yRz) xRz. 

A partial order is a relation between X and itself that is reflexive, anti- 
symmetric, i.e., 

Vx, y £ X : {xRy and yRx) x = y, 

and transitive. 

A function ( or map ) between two sets X and y is a relation which has the 
property that each element of X appears as the first element in one and only 
one pair of the relation. A function between two sets X and Y is denoted by 
/ : X — > y. The sets X and Y are called the domain and the co-domain of 
the function, respectively. The set f{X) = {/(x) : x G X} is called the range 
of function /. If each element of the range of a function / has a unique element 
in the domain of / which maps to it, then we say the function is injective. We 
say a function is surjective when the range is equal to the co-domain. Finally, 
a function is said to be bijective if it is both injective and surjective. 

Let M be a finite set, then 'Per(M) = {tt; tt : M ^ M is a bijective function} 
denotes the set of all permutations of M. 

Let A be a finite alphabet, i.e., a finite set of symbols, then A* and A+ denote 
the set of the finite sequences of elements of A and the set of the non-empty finite 
sequences of elements of A, respectively. The length of a sequence w £ A* 
which is defined to be the number of elements in w is denoted by |m|. For all 
w £ A+ and I < i < j < \w\, the ith element of w is denoted by Wi and the 
sub-sequence {wi , . . . , Wj) of sequence w is denoted by Wi,„j. 

2. Boolean algebra 

A central mathematical notion in circuit design is the algebra of logic, or 
Boolean algebra, which has been introduced by Boole in 1847 [13]. For the 
definition of Boolean algebras we follow the book of Hachtel and Somenzi [56] . 



Boolean algebras are based on partially ordered sets. 
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Definition 2.1 (poset) Let M be a set and R M x M a relation. Then 
(M, R) is called partially ordered set, or poset, if R is a partial order. 

If (M, <) is a poset and any two elements a,b ^ M have both meet and join, 
which we denote by a • 6 and a + b, respectively, then (M, <) is a lattice. 

Definition 2.2 (meet) Let {M, <) be a poset. An element m £ M is 
called meet of two elements a,b £ M, i.e., m = a ■ b, if 

■ m < a, m < b, and 

■ Mq £ M : {q < a and q < b) ^ q < m 
hold. 

Definition 2.3 (join) Let (M,<) be a poset. Anelementm £ Miscalled 
join of two elements a,b £ M, i.e., m = a + b, if 

■ a < m, b < m, and 

■ Mq £ M : {a < q and b < q) ^ m < q 
hold. 

Definition 2.4 (lattice) A poset (M, <) is a lattice if meet and join is 
defined for all elements a,b £ M. 

Each finite lattice (M, <) meets some properties, namely 

Lemma 2.1 (idempotence) 

\/a £ M : a ■ a = a and o + a = a. 

Lemma 2.2 (commutativity) 

Va, b £ M : a ■ b = b ■ a and a + b = b + a. 

Lemma 2.3 (associativity) 

Va, b,c £ M : {a ■ b) ■ c = a ■ {b ■ c) and {a + b) + c = a + {b + c). 
Lemma 2.4 (absorption) 

Va, b £ M : a ■ (a + b) = a and a + {a ■ b) = a. 

Lemma 2.5 (laws of 0 and 1) 



• 31 £ M Va £ M : a < 1. 
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• 30 G M Va G M : 0 < a. 

• \/a C M : a-0 = 0, a-l = a, a + 0 = a, and a + 1 = 1. 

Lemma 2.6 

Va, 6, c G M : {a ■ h) + {a ■ c) < a ■ {b + c) and 

a + {h ■ c) < {a + h) ■ {a + c). 

Now, a Boolean algebra is a eomplemented and distributive lattiee. 

Definition 2.5 (complemented lattice, complement) Afinite lat- 
tice (M, <) is complemented if for all element a C M there exists an element 
b such that a ■ b = 0 and a + 6 = 1. Element b is called complement of a and 
is denoted by a' or -lo. 

Definition 2.6 (distributive lattice) A lattice {M,<) is distributive 
if for all a,b,c C M 

{a ■ b) + {a ■ c) = a ■ {b + c) and (a + 6) • (a + c) = a + {b ■ c) 
hold. 

Definition 2.7 (boolean algebra) A Boolean algebra is a comple- 
mented, distributive lattice. 

As an example, look at the two values to which signals of a circuit are restricted, 
L and H, or 0 and 1. Combining 0 and 1 by logical-and results in value 0. Now, 
let us interpret the binary logical-and operation as meet operation. Then 0 < 1 
obviously holds and ({0,l},<)isa poset. Furthermore it is easy to prove that 
this poset is a lattice which is finite, complemented, and distributive. Thus, 
({0, 1}, <) is a Boolean algebra, the so-called switching algebra. By this, it is 
easy to show that the poset ({0, 1}”, <) defined by 

(ai,. . . ,«n) < iPl,-- -,Pn) ■ Vi G Nn a* < Pi 

is a Boolean algebra, loo. For more delails, please see [19] and [99]. 

3. Boolean functions 

In circuil design. Boolean functions play a dominanl role. They are based on 
Boolean n-spaces. A Boolean n-space is a mulli-dimensional space spanned 
by n binary-valued (so called Boolean) variables. If is denoted by {0, 1}”. 
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3.1 Definition and properties 

A completely specified Boolean function is a mapping between two Boolean 
spaces and can be defined as follows. 

Definition 2.8 (completely specified boolean function) 

Let n and m be two natural numbers and = {x \, . . . , x^} a set ofn input 
variables. A function f : {0, 1}*^ ^ {0, 1}’” which associates every element of 
{0, 1}” with an element of {0, 1}^ is called m-ary completely specified Boolean 
function with n input variables or m-ary completely specified Boolean function 
over Xn- To simplify matters, we simply speak of Boolean functions in most 
cases. The set X^ is called support of Boolean function f. 

If the order of the variables is important, then we use X^ as a sequence of 
variables. This will be denoted by the notation [xi, . . . , x^]. 

For fixed natural numbers n and m, we denote the set {/; / : {0, 1}"^ ^ 
{0, 1}™} of the m-ary Boolean functions with n inputs by Bn,m- If m = 1, 
then we use the notation Bn instead ofBn,i. 

Each m-ary Boolean function f G Bn,m ctin be interpreted as an m-dimensional 
vector (/i, / 2 , ...,fm)or set {/i, h, ■ ■ ■ , fm} of Boolean functions £ Bn. 

Let us consider all m-ary Boolean functions with n input variables. Those 
functions can be ordered. We distinguish the following two ordering relations 
for Boolean functions. 

Definition 2.9 (smaller) A Boolean function f := (/i, . . . , fm) £ Bn,m 
is less than or equal to a Boolean function g := (gi, . . . ,gm) £ Bn,m, i-e., 
f F g, if for all i £ Nm and for all assignments a £ {0, l}'^ the relation 
fi{a) < 9i{oi) holds. 

Definition 2.10 (lexicographical smaller) A Boolean function f £ 
Bn is lexicographically smaller than or equal to a Boolean function g £ Bn, 
i-e., f <iex g, if either f = g or f{ai, ...,«„) = 0andg{ai, . . . ,an) = I for 
the binary vector {a\ , . . . , an) £ {0, 1}*^ with minimal provided 

that f{ai , . . . , «n) / g{ai, ..., an). 

For illustration, let us consider the Boolean functions f,g,h£ B 2 defined by 



X2 


Xl 


/ 


g 


h 


0 


0 


0 


0 


0 


0 


I 


0 


1 


I 


I 


0 


0 


1 


I 


I 


I 


1 


1 


0 



If is easy fo check fhaf f < g, f <iex 9, f ^ h, and / <iex h hold. 




16 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



Both <) and <iex) are posets. {Bn^rn, <iex) is not a comple- 

mented lattice in general wheras {Bn,m, <) is even a Boolean algebra. Any 
two Boolean functions / and g of Bn^m have both meet and join with respect 
to relation < which are the logical-and, which we denote by • (or A), and 
the logical-or, which we denote by + (or V), of / and g, respectively. Thus, 
{Bn,m 7 <) is a finite lattice and there is a largest element, denoted by 1, and 
a smallest element, denoted by 0 . Each Boolean function / has a well defined 
complemenf f such fhaf meef of / and f is 0 and join of / and f is 1 . Finally, 
if is easy fo prove fhaf fhe disfribufivify laws wifh respecf fo meef and join hold. 

In practice, fhe funcfional behavior of a circuif has nof fo be complefely speci- 
fied. This leads us fo fhe definifion of incompletely specified Boolean functions. 
An incomplefely specified Boolean funcfion is defined over a subsef D of fhe 
Boolean n-space {0, 1}” only. The elemenfs of D where fhe funcfion is nof 
defined are called don 't care condifions. 

Definition 2.11 (incompletely specified function) Letnbeanat- 
ural number. A function f : D ^ {0, 1} with D C {0, 1}*^ is called incom- 
pletely specified Boolean function with n inputs. D is the domain off which is 
denoted by domain{f). The set dc{f) which contains all elements o/{0, 1}"^ 
not in domain{f) is called don’t care set of f. The sets on{f) and off{f) 
which are called on-set of f and off-set of f, respectively, are defined as 

on{f) := {a G domain{f); f{a) = 1} 
and 

offif) ■■= {a G domainif); f{a) = 0}, 
respectively. 

For a fixed subset D C {0, 1}”, we denote the set of Boolean functions with 
domain D by S{D). 

If we consider m-ary incomplefely specified Boolean funcfions wifh n inpuf 
variables, fhen fhe don’f care condifions may differ for each oufpuf of fhe 
funcfion. Therefore, we offen represenf fhem as / : {0, 1}"^ — > {0, 1, 
where * represenfs a don ’t care condifion. 

If we implemenf an incompletely specified Boolean funcfion / G S{D) by 
a combinafional circuif G, fhen fhe circuif G will produce an oufpuf for each 
assignmenf fo fhe primary inpufs, even for fhose assignmenfs which are in fhe 
don’f care sef of /. Hence, every implemenf afion G of an incomplefely specified 
Boolean funcfion / G S{D) for some D C {0,1}'^ realizes a (complefely 
specified) Boolean funcfion g G Bn which we call extension of funcfion /. 
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Definition 2.12 (extension of functions) Let f and g be incom- 
pletely specified Boolean functions. Function g is an extension of f if and 
only if domain{f) is a subset of domain{g) and g{a) = f{a) holds for every 
element a G domain(f). 

Now we are going to discuss one more property of Boolean functions. For that, 
let us consider the following. 5({0,1}”) is the set of incompletely specified 
Boolean functions with domain {0, 1}”. Obviously, both 5({0, 1}”) and Bn 
describe the same set of functions which is the set of completely specified 
Boolean functions. In ofher words, we can consider fhe sef of complefely 
specified Boolean funclions as a special case of incomplefely specified Boolean 
funclions. Hence, any facl which we are going fo discuss for incomplefely 
specified Boolean functions can be applied fo completely specified Boolean 
funclions as well. However, nole lhal we assume all funclions fo be complefely 
specified if nol explicilly slaled olherwise in fhe following. 

We close Ibis seclion wilh furlher nolalions which we are going fo use in laler 
chaplers. 

Lei / G <S{D) be an incompletely specified Boolean function wilh D C 
{0,1}”. Then, ON{f), OFF{f), and DC{f) denote completely specified 
Boolean funclions of Bn defined by 

Va G {0, 1}” : ON{f){a) = 1 a G on(/), 

Va G {0, 1}” : OFF{f){a) = 1 ^ a G off{f), 

and 

Va G {0, 1}” : DC{f){a) = 1 ^ a G dc{f), 

respectively. |/| denotes fhe number of elemenls in on{f). This number is 
called satisfy count of function /. 

Xi G Bn wilh i G Nn denoles fhe Boolean function defined by 

V(ai, a2, • • • , a^^) G {0, 1} . a?^(ai, a2, • • • , a^^) — a^. 

In ofher words, we can inlerprel variable Xi as Boolean function of Bn which 
oulpuls fhe ilh argumenl. 

© denotes fhe exclusive-or of Boolean funclions. For Iwo Boolean functions 
f,geBn,f®gis defined by 

/®v = (/-v) + (/'-v). 

”, +, and © denote fhe nand, nor, and equivalence of Boolean funclions, re- 
speclively. For Iwo Boolean functions f,g^Bn, fhese operalors are formally 
defined as f-g = (/ • g)', f+g = (/ + g)', and fWg = (/ © g)', respectively. 
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3.2 Cofactors 

In order to analyze a Boolean function it can be helpful to decompose it with 
respect to a Boolean variable. In this context, cofactors play an important role. 

Definition 2.13 (cofactor) Leif e Bn, m be a Boolean function. The 
cofactor of f with respect to X{ = c with c £ {0, 1} is given by the mapping 
fxi=c of Bn, m, defined by 

Vcr . (cii , . . . , Oii— 1 , Oii , , . . . , CXn^ G (^0, 1 } 

f Xi=c{oi) . — /(cii , . . . , CXi—i, C, dj-i-l ) • . • ) Oln) ■ 

fxi=o ond fxi=i are called negative and positive cofactor of f with respect to 
Xi, respectively. 

Note that the cofactor fxi=c of a Boolean function of Bn,m can be interpreted 
in a natural way as function of Bn-i,m since the cofactor depends on at most 
n — 1 variables only. 

Often the relation between both cofactors of a function with respect to a variable 
Xi might be interesting as well. So let us consider them. For the sake of 
simplicity we consider Boolean functions of Bn only. 

Definition 2.14 (boolean difference) Let f £ Bn be a Boolean func- 
tion, then df jdxi denotes the Boolean function defined by 

df/dxi := fxi=o ® fxi=i- 

Wh call it Boolean difference. 

The Boolean difference of a function / with respect to a variable Xi indicates 
whether Xi is observable at /. When it is zero, then the function does not 
depend on Xi. 

Definition 2.15 (universal and existential quantification) 
The universal quantification and existential quantification of a Boolean function 
f £ Bn with respect to a variable Xi are defined by 

{Mxi : f) := fxi=o ■ fxi=i 
and 

(3xj : /) := fxi=o + fxi=i: 
respectively. 

The universal quantification of a Boolean function / with respect to a variable 
Xi represents the part of the domain of / for which both assignments to Xi 
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evaluate the funetion to 1, whereas the existential abstraction represents the 
part of the domain for which at least one assignment to Xi evaluates to 1. 

Cofactoring with respect to different variables can by applied successively. It 
is important to note that cofactoring is commutative, i.e., 

ifxi=Ci)xj=Cj Xi=Ci' 

In the following, we use the notation f[xi,x ]=(ci,c ) to denote the iterated co- 
factor 

Now let us consider some properties which allow to decompose Boolean func- 
tions into simpler subfunctions. These properties were introduced by Boole 
[14]. 

Theorem 2.1 (boole-shannon expansion) Let f e Bn be a Boolean 
function defined over the variable set Xn- Then f can be decomposed in terms 
of a variable Xi with i G as 

f = {Xi ■ fxi=o) + {Xi ■ fxi=l)- 
This decomposition is called Boole-Shannon expansion. 

The proof of the theorem is straightforward since at least one of the terms 
Xi ■ fxi=i and Xi ■ fxi=o have to evaluate to 0 for any assignment of the variables. 

Theorem 2.2 (davio decomposition) Let f e Bn be a Boolean func- 
tion over Xn- Then f can be decomposed in terms of a variable Xi G Xn 
as 

f = fxi=o © {xi ■ df/dxi) 
and 

f = fxi=i © {xi ■ df/dxi) 

These decompositions are called positive Davio decomposition and negative 
Davio decomposition, respectively. 

Proof: Since for each assignment either Xi or xf evaluates to 0, we can 

transform the Boole-Shannon expansion as follows: 

/ = {Xi- fxi=l) + {Xi ■ fxi=o) 

= {xi ■ fxi=l) © {xi ■ fxi=o) 

~ {.Xi • fxi=l) © ((1 © Xi) ■ fx^=o) 

~ {Xi ■ fxi=l) © fxi=0 © {Xi • fxi=o) 

— fxi=0 © {Xi • {fxi=l © fxi=o))- 
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Analogously, the second equation of the theorem can be proven. ■ 

Last but not least let us mention another fact. The cofactor computation is a 
special case of the substitution-by-function operation which plays an important 
role during equivalence checking of combinational circuits as well. 

Definition 2.16 (substitution by function) 

Let f £ Bn,m be a Boolean function defined over the variable set and 
g £ Bn a Boolean function which is defined over the same set of variables. 
Then fxi=g denotes the Boolean function defined by 

V(ai, . . . ,«n) e {0, 1}” : 

fxi=g{o'li ■ ■ ■ : Oin) — /(cH > • • • > ; • • • i (^n) i CKi+1 ; • • • ; CIn) • 

4. Pseudo-Boolean functions 

Let us consider another important tool for formal logic verification a little bit 
closer now. For the purposes of formal verification, m-ary Boolean functions 
are often considered as integer-valued Boolean functions. 

Let / G Bn,m be an m-ary Boolean function with n input variables. We can 
associate the mapping 

F : {0, 1}” 

defined by 

m 

VaG{0,ir: F(a):= /,(«)• 

i=l 

wifh /. Nofe fhaf • denofes infeger mulfiplicafion here. The iferafed sum symbol 
denotes infeger addition. 

We call fhis type of funclion pseudo-Boolean function. They are defined as 
follows. 

Definition 2.17 (pseudo-boolean function) Let n be a natural num- 
ber. A function F : {0, 1}” ^ Z which associates every element of {0, l}^with 
an integer is called pseudo-Boolean function. We denote the set of pseudo- 
Boolean functions with n inputs by Z^. 

A well-known pseudo-Boolean funclion is Ihe Iwo’s complemenl decoding 
function / : {0, l}'^ ^ Z defined by 

n— 1 

f{Xn,Xn-l, . . . ,Xi) = • 2*“^ - Xn ' . 

i=l 
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Similar to Boolean functions, pseudo-Boolean functions can be decomposed 
with respect to a variable Xi. 

Definition 2.18 (cofactor of a pseudo-boolean function) Let 
f £ Zn be a pseudo— Boolean function. The cofactor of f with respect to Xi = c 
with c G {0, 1} is given by the mapping fxi=c of Zn, defined by 

Vcr . — {oil, • ■ ■ 1 Oli—l, oil, , CVn) £ {0, 1} 

fxi=c{oi) ■= f{oil, . . . , Oli—l, C, Q!j+1 , ■ ■ ■ , CVn) ■ 

fxi=o ond fxi=i are called negative and positive cofactor of f with respect to 
Xi, respectively. 

Again, the cofactor fxi=c of a pseudo-Boolean function of Zn can be inter- 
preted as function of Zn-i since the cofactor depends on at most n — 1 vari- 
ables only. Cofactoring of pseudo-Boolean functions has the same properties 
as cofactoring for Boolean functions, i.e., it can be applied successively and 
it is commutative. Furthermore, the substitution-by-function operation for 
pseudo-Boolean functions is defined in the same way as this for Boolean func- 
tions. Hence, we would like to refer to the previous section about cofactoring 
for Boolean functions. 

A frequently-used relation between both cofactors of a pseudo-Boolean func- 
tion with respect to a variable Xi is defined as follows. 

Definition 2.19 (linear moment) 

Let f £ Zn be a pseudo— Boolean function, then df jdxi denotes the pseudo- 
Boolean function defined by 

df/dxi := fx^=i - fxi=o 

where — denotes integer subtraction. Function df / dxi is called linear moment 
of f with respect to Xi and is often denoted by . in literature. 

Moreover, fhere is a decomposition fheorem for pseudo-Boolean functions as 
well. If is due fo Bryanf and Chen [20, 23]. 

Theorem 2.3 (moment decomposition) 

Let f £ Zn be a pseudo-Boolean function defined over the variable set Xn. 
Then f can be decomposed in terms of a variable Xi with i £ as 

f — fxi=0 + tCi ■ fxi, 

where + and • denote integer addition and integer multiplication, respectively. 
The decomposition is called moment decomposition off with respect to variable 
Xi. In this context, function fxi=o is called constant moment of f with respect 
to variable Xi. 
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Proof: For any assignment a of the variables either Xi or x/ evaluates to 0. 
Thus the equation 

f — Xi • fxi=l + Xi • fx^=0 

holds where + and • denote integer addition and integer multiplieation, re- 
spectively. As the pseudo-Boolean function 1 — Xi represents x/, the above 
equation is equivalent to 

f = {Xi- fxi=l) + (1 - Xi) ■ fxi =0 

and the theorem immediately follows. ■ 




Chapter 3 



REPRESENTATION OF BOOLEAN AND PSEUDO 
BOOLEAN FUNCTIONS 



The efficiency of algorithms for specific problems highly depends on an ap- 
propriate representation of the objects which have to be manipulated. In this 
chapter, we review and analyze the different representations of Boolean func- 
tions with respect to their applicability in the context of formal verification. So 
we are able to better understand why some data structures are used and why 
others are not used. 

Following [76], we start with a formal definition of representations of Boolean 
or pseudo-Boolean functions. For a fixed n and m, let 7^n,m be either the 
set Bn,m of m-ary Boolean functions with n input variables or the set Zn of 
pseudo-Boolean functions with n input variables. 

Definition 3.1 (representation of functions) LetTZn,mbe a finite 
set and (f> be a mapping which uniquely associates every element r G 
with a function of Fn,m, i-c, f : TZn,m Then, {TZn,m,4’) is called 

representation of the functions oflFn,m- The mapping f is called interpretation 
ofTtn,m ■ bf (j){r) = / holds, then r is called representation of f. 

1. Desirable properties of representations 

Representations of Boolean and pseudo-Boolean functions should have some 
special properties in order to be applicable for formal verification. 

Definition 3.2 A representation {TZn,m, 4>) of functions of J-n,m is called 

complete if f is surjective, i.e., if for every function f G lFn,m there is an 
element r G Ttn,m such that r is a representation of f. If {Ttn,m,4>) is 
complete, TZn,m is said to be a representation of lFn,m- 
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unique if (f) is injective, i.e., if f{r) 7 ^ (f){q) holds for any two representations 
r,q £ TZn,m with r ^ q. 

canonical iff is bijective, i.e., if the representation is complete and unique. 

Uniqueness is a very important property with respect to equivalence checking 
as whenever a representation 4>) is unique then for each s,t £ TZn,m the 

represented functions f{s) and f{t) are equal if and only if the representations 
s and t are equal. 

Of course, uniqueness is not quite enough. The data structure has to allow effi- 
cient implementations of the essential operations needed during formal equiv- 
alence checking. The essential operations are 

the unary and binary Boolean operations, that is, given two representations 
s and t of Boolean functions of Bn,m, compute the representations u of 
f{s) ■ f{t), V of (j){s) + 4>{t), and w of (f){sy. These operations are needed to 
synthesize a representation of the function realized by a given combinational 
circuit. 

cofactor computation with respect to a variable Xi, i.e., given a representation 
s of a Boolean or pseudo-Boolean function, compute representations u and 
V of (j){s)^.^Q and respectively. As already mentioned, cofactor 

computation is applied during the analysis of Boolean functions. 

substitution by functions with respect to a variable Xi, i.e., given two repre- 
sentations s and t, compute a representation u of 

tautology check and satisfiability check, i.e., given a representation s of a 
Boolean function, decide whether f{s) = 1 and f{s) / 0, respectively. It 
is easy to see that checking whether a given Boolean function is a tautology 
or whether it is satisfiable is a special case of the equivalence cheeking 
problem. 

satisfy count, i.e., given a representation s of a Boolean function of Bn, com- 
pute I (f){s) I of f{s). Note that the satisfy eount can be used as a filter during 
equivalence checking. Given two representations s,t of Boolean functions 
of Bn, if I </>('§) I / \f{t) \ then f{s) / f{t) holds. 

There are many other operations which can be effieiently implemented using 
the operations listed above. We do not go into details here. 

In the following, the elements of TZn,m are always going to be considered as 
a data structure in a computer. Let Csizeir) be the size of the data structure 
of element r G Tln,m, i-c., the number of bits necessary to represent r in a 
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computer. Then, the complexity of a Boolean or pseudo-Boolean function 
with respect to {TZn,m, 4>) can be defined as 

^i2TU) '■= min{csize{r)] r e Un^m and 0 (r) = /}. 

We define (/) = +oo for those functions / which have no representations 
in T^n,m- 

For practical considerations we have to accept the following fact. 

Theorem 3.1 Let {TZn,i, 4>) a complete representation of Bn and let p < 
2” be a natural number. More than 2^ • (1 — 2^“^ ) Boolean functions of Bn 
have complexities which are larger than or equal p. 

Proof: The cardinality of the set {r; r G TZn,! and Csize{r) < p} is less than 
2P as Csize denotes the size of r in bits. Thus, less than 2^ Boolean functions of 
Bn have complexities which are less than p. It immediately follows that there 
are more than 2^" — 2^ Boolean functions / of Bn with (/) > p. ■ 

In other words, there is not any complete representation {TZn,i, f) of Bn with 
workable size complexity. 

2. Traditional representations of Boolean functions 

Let us review the most important traditional forms of representations of Boolean 
functions which are truth tables. Boolean networks. Boolean formulae, and sum 
of products. 

2.1 Truth tables 

The apparent way of representing a Boolean function is to use the truth table of 
/. The truth table of a Boolean function / is a complete listing of the function 
values starting with the function value /(O, . . . , 0) up to the function value 
/(I, . . . , 1). Usually, the truth table of a Boolean function / G Bn,m is coded 
as the m-dimensional Boolean vector F[0 : 2"^ — 1] with 

n 

Va := (ai, . . . , «„) G {0, 1}” : /(a) = F ^ a* • 2*“^ 

_i=l 

For illustration, let us consider a Boolean function / G S 3 , 2 - Assume that the 
first output yi of / evaluates to 1, if both input x\ and input X 2 are set to 1, and 
the second output 2/2 of / is 1, if yi is 1 or input X 3 is assigned value 1. This 
Boolean function can be represented by the truth table F 
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F [ I 3 ] 


0 


(0,0) 


I 


(0,0) 


2 


(0,0) 


3 


(1,1) 


4 


(0,1) 


5 


(0,1) 


6 


(0,1) 


7 


(1,1) 



where [3 denotes the index of the Boolean vector. 

Truth tables have very nice properties. They are a canonical representation of 
Boolean functions. In particular, the equivalence check can be done in linear 
time with respect to the size of the representation. The time complexity of the 
remaining operations listed above is linear, as well. Thus, truth tables are an 
ideal representation of Boolean functions as long as the number n of inputs is 
not too large, as the space complexity is exponential in n. Indeed, truth tables 
are unbeatable for Boolean functions f C Bn with n < c for some constant 
c G {8,9,10,11}. 

2.2 Boolean networks 

Basically, Boolean networks are labelled directed acyclic graphs. In contrast to 
truth tables which represent the pure functional behavior of a circuit. Boolean 
networks are structural representations of circuits, i.e., they are much more in 
accordance with the intuitive notion of combinational circuits. 

In the following, let 12 C IJjgpj B{ be a finite subset of single-output Boolean 
functions which constitutes the cell library we use for our circuits. Furthermore, 
we denote the input pads of the network with IPAD and the output pads with 
OPAD. 

Definition 3.3 (boolean network [128]) 

Let T = 12 U {IPAD, OPAD}. A Boolean network N over 12 with n inputs 
and m outputs is a tuple (G, type, pe, pa) with 

■ G = iy, E) is a directed acyclic graph which is node oriented, i.e., for all 
nodes v € V there is an order for the incoming edges. More exactly, V is 
the set of nodes (which represent the active elements of the circuit) and E is 
the set of edges ( the signals of the circuit). Source and target of an edge are 
given by functions source : E ^ V and target : E ^ V. The indegree of 
a node v £ V is given by the mapping indeg : D ^ No which is defined 
by indeg(v) = \{e £ E; target{e) = u}|. Accordingly, the fanout of v is 
given by fanout : V Nq with fanout (v) = |{e G E; source{e) = u}|. 
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The node orientations of G are given by a one-to-one mapping I. I{v, i) 
denotes the ith incoming edge of node v G V for i G ^indeg(v)- 

■ type : V T is a mapping which assigns a cell ofT to each node. There are 

exactly n nodes of type IPAD and m nodes of type OP AD. Iftype{v) is a 
cell of cell library fl, thentype{v) G Bindeg{v)- ^ftyp^i^) = IPAD, thenv 
does not have any incoming edge, i.e., indeg{v) = 0. Iftype{v) = OP AD, 
then indeg{v) = 1 and fanout{v) = 0. 

■ The mappings pe : ^ {f G type{v) = IPAD} and pa : Nm ^ 

{v G V; type{v) = OP AD} are one-to-one functions which give the 
orders for the IPAD- and OPAD-nodes. pe{i) and pa{j) are called ith 
primary input and jth primary output ofN, respectively. 

The interpretation of a Boolean network J\f with n inputs and m outputs 
can he defined straightforward. We associate every edge e of the Boolean 
network with the Boolean function /e which is computed at this edge. Assume 
that edge e is driven hy node v, i.e., e = {v,w) for some node w. If v is 
the ith primary input then /e is the Boolean function Xi. If u is an inner 
node, i.e., type{v) = g for some cell g G Tl, we consider the incoming edges 
ei, . . . , Cindegiv) of Assume that = I{v, k) for k = 1, . . . , indeg{v). 
Then the Boolean function /e computed hy edge e is given hy 

fe = 9° (/ei X ... X 

where o and x denote composition and parallel execution of functions, respec- 
tively. Now, consider the primary outputs of J\f. Let yj he the incoming edge of 
the jth primary output. Then, Boolean network J\f realizes the m-ary Boolean 
function 

</>(-^) = /j/1 X • • • X /v™ 

which is a Boolean function with n inputs. 

For illustration, see Figure 3.1 which shows a Boolean network which realizes 
the Boolean function already used for illustration in Section 2.1. The input 
pads (ui, V 2 , Vs) and output pads (vq, vj) are represented hy the grey nodes and 
hlack nodes, respectively. 

All the synthesis operations, i.e., the unary and binary Boolean operations, 
the cofactor computation, and the substitution by functions can be done very 
efficiently. However, Boolean networks are not a unique representation of 
Boolean functions. Furthermore, it is well known from complexity theory that 
satisfiability, tautology, and equivalence check applied to Boolean networks 
are NP-hard problems and co-NP-hard problems, respectively [53]. Therefore, 
Boolean networks are not suitable for formal logic verification, in general. 
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2.3 Boolean formulae 

A very common method to represent Boolean functions is to use Boolean for- 
mulae. 

Definition 3.4 (boolean formulae) The set BlF{Xn) of Boolean for- 
mulae over Xn is defined as follows. 

■ The symbols x\, . . . , x„, 0, and 1 are Boolean formulae over X^- 

■ If wi, . . . ,Wk are Boolean formulae over Xn, then so are the conjunction 
(rui) • . . . • (wk) and the disjunction (rui) + . . . + (rufc). 

■ If w is a Boolean formula over Xn, then (w)' is a Boolean formula over 
Xn- It is called complement of w. 

■ A string is a Boolean formula over Xn if and only if it can be derived by 
applying the previous rules a limited number of times. 

To simplify matters, we drop most parentheses by assuming that • takes prece- 
dence over -h. Sometimes we also drop • when no ambiguity arises. Further- 
more we use xf instead of (xi)', in the following. Sometimes, we use and 
x\ to denote xf and Xi, respectively. 

The interpretation (/) : BIF{Xn) of Boolean formulae is a homomorphism 

defined by 

■ f{Xi) = Xi, 

■ </>(0) = 0, 

■ </>(!) = 1, 

■ • . . . • {wk)) = fiwi) • . . . • 4>{Wk), 
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■ (j){{wi) + . . . + {wk)) = 4>{wi) + . . . + 4>{wk), and 

■ = 4>{w)'. 

We say that the Boolean formula tu is a Boolean formula of a Boolean function 
/ G if = f holds. 

Boolean formulae are usually coded by syntax-trees with respect to the context- 
free grammar [2] 

start symbol: E 
<E> ^ <E>-|-<T> I <T> 

<T> ^ <T> <E> I <E> 

<E> ^ <E>' I (<E>) I 0 I 1 I xi I ... I Xn- 



Eor illustration we refer to Eigure 3.2. More details can be found in [2]. 




Figure 3.2. At the left: Derivation of the Boolean formula {x\ ■ X 2 ) -f xz with respect to the 
context-free grammar from above. At the right: the corresponding syntax-tree. 



(BE{Xn), 4>) is a complete representation of .Bji. The unary and binary Boolean 
operations can be done in constant time. Just insert a new root whose outgoing 
edges point to the operands. Cofactoring can be performed in linear time with 
respect to the size of the syntax-tree. Eet m be a syntax-tree which represents 
the Boolean function / G Bn, then a syntax-tree for fxi=i for some variable 
Xi can be computed by replacing the leaves marked with symbol Xi by leaves 
marked with symbol 1. To compute fxi=o, just replace leaves marked with 
symbol Xi by leaves marked with symbol 0. In the same manner, fxi=g can be 
computed for some Boolean function g. Just replace the leaves labelled with 
Xi by the given syntax-tree of g. 
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Unfortunately, Boolean formulae are not a unique representation of Boolean 
functions. In particular, it is easy to see that there exist an infinite number of 
Boolean formulae which represent the same function, as(j){w-w) = (j){w) holds 
for every Boolean formula m G BIF{Xn)- Worst of all, the decision problem as 
to whether two given Boolean formulae represent the same Boolean function is 
co-NP-hard as the well-known satisfiability problem which is the decision prob- 
lem as to whether a given Boolean formula differs from the constant Boolean 
function 0 is NP-hard. Thus, the decision problem as to whether the satisfy 
count of a given Boolean formula is larger than 0 is NP-hard, too. 

2.4 Sums of products 

We can impose restrictions on the form of formulae so that there is only one 
formula for each Boolean function. 

Definition 3.5 (sum of products, minterm form) Let f e Bn be 
a Boolean function over Xn- 

■ The Boolean formulae Xi and xf over Xn are called literals which are the 
positive literal and negative literal, respectively. 

■ A cube or a product is a conjunction of literals that contains each variable 
of Xn at most once. 

■ A cube c is called cube of f, ifOf^ fic) < f holds. 

■ A minterm is a cube that contains each variable of Xn exactly once, either 
as positive or as negative literal. 

■ A sum of products is a disjunction of cubes that contains each cube at most 
once. 

■ The sum of products of a Boolean function f € Bn which consists of the 
minterms of f is called minterm form of f. We call the set of the minterms 
of a Boolean function f satisfy set of f. 



As illustration, let us take the Boolean function y 2 G B 3 already used in Section 
2.1 once more. Obviously, the Boolean formula 



(®1 • X2 ■ X3) + (Xl ■ X2 ■ xf) -I- {xf ■ X2 ■ Xi) A- (*1 • X2 ' *3) -|- {xi ■ X2 ' *3) 

is a minterm form of that Boolean function. It is unique up to permutation of 
the minterms. The Boolean formula 



{Xl ■ X2) + Xi 



is a sum of products of the same Boolean function but not a minterm form. 
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Since the set of minterms of a Boolean function / is unique, minterm forms are 
a canonical representation of Boolean functions. Equivalence check, tautology 
check, and satisfiability check can be done in polynomial time with respect to 
the size of the minterm forms. Furthermore, the satisfy count of a minterm 
form can also be computed in linear time. Given the minterm forms of two 
Boolean functions /, 5 G Bn, the minterm forms oi f • g, f + g, and fxi=g for 
some variable Xi of /, respectively, can be computed in polynomial time, too. 
Complementing a minterm form may be a very time consuming operation. Just 
try to explicitly construct the minterm form of 4>{{xi ■ X 2 ■ ■ ■ ■ ■ Xn)')- 

However, since the size of the minterm forms of most Boolean functions oc- 
curring in applications is exponential in the number of variables minterm forms 
are not used in practice. Indeed, the size of the minterm form of a Boolean 
function / is proportional to the satisfy count of / which is exponential in the 
number of variables, in general. 

In many applications sum of products are used as representations of Boolean 
functions as sums of products often are much smaller than minterm forms. 
Nevertheless, many Boolean functions, for example n-bit binary addition and 
parity with n input variables, do not have sums of products of practicable size. 
The smallest sums of products of these Boolean functions are exponential in n. 

The satisfiability problem applied to sums of products can be solved in a very 
easy way. Just take one cube c of the given sum of products and assign Boolean 
values to the variables occurring in c accordingly. However, as the cubes 
of a sum of products do not have to be disjoint, tautology check and satisfy 
count computation cannot be efficiently computed if sums of products are used. 
Furthermore, complementing sums of products is very time consuming, as well. 
For example, consider the sum of products {x\-X 2 ) + {x^-X 4 ) + . . {xn- i-Xn) 
and complement it. 

3. Binary Decision Diagrams 

Binary decision diagrams (BDDs) as a data structure for representation of 
Boolean functions were first introduced by Fee [88] and further popularized by 
Akers [3] and Moret [111]. As BDDs play a dominant role in today’s formal 
verification tools, we will discuss BDDs in detail. This and the next section 
will follow the paper of Drechsler and Sieling [47], in part. 

3.1 Basic definitions 

Definition 3.6 (binary decision diagram) A binary decision diagram 
(BDD) over Xn is a directed acyclic graph G = {V, E, index, value) with a 
set of nodes V containing two types of nodes, internal and terminal nodes. 
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An internal node v has as label a variable index{v) G and two children 
low{v), high{v) G V. The edges {v, low{v)) and {v, high{v)) are called low- 
edge, or 0-edge, and high-edge, or 1-edge, ofv, respectively. The nodes low {v) 
and high{v) are called low-successor, or 0-successor, and high-successor, 
or 1-successor, ofv, respectively. A terminal node v is labelled with a value 
value{v) G {0, 1} and has no outgoing edge. 

The size |G| of a BDD G is defined as the number of internal nodes ofG. 

BDDs over can be used to compute Boolean functions of Bn in the fol- 
lowing way. Each input a = G {0,1}'^ defines a computation 

path through the BDD that starts at some distinguished node, the root of the 
corresponding Boolean function. If the path reaches an internal node w that 
is labelled with Xi, it follows the path low{w) if and only if a* = 0 , and it 
follows the path high{w) if and only if aj = 1. On all paths a terminal node is 
reached since a BDD is finite, directed, and acyclic. The label of the terminal 
node determines the return value of the BDD on input a. More formally, we 
can define fhe Boolean function corresponding to a BDD and a distinguished 
node V, recursively. 

Definition 3.7 (interpretation of binary decision diagrams) 
Let G = {V, E, index, value) be a BDD over n variables x\,. . . ,Xn and 
V C V a node of BDD G. The Boolean function 4>{v) G Bn which is computed 
at node v is recursively defined as follows. 

■ Ifv is a terminal node and value{v) = 1 then 4>{v) = 1. 

■ Ifv is a terminal node and value{v) = 0 then 4>{v) = 0. 

■ Ifv is an internal node and index{v) = Xi then 

4>{v) = (x/ ■ f(low(v))) + (xi ■ f{high{v))) . 

The variable Xi is called decision variable for v. 

Figure 3.3 which shows a BDD over X 4 illustrates the definition. The internal 
nodes which are represented by circles are labelled with X2, x^, and X4. Low- 
edges are represented by dashed lines. High-edges are represented by solid 
lines. All the edges are directed from top to bottom. Quadrangles represent 
terminal nodes. Terminal nodes are labelled with 0 or 1 and represent the 
Boolean functions 0 and 1, respectively. Every node u of a BDD represents 
a Boolean function (j){v) G B4. The left upper internal node and right upper 
internal node of the BDD represent the Boolean functions described by 

X4 + (X2 • X3 • xf) 
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[x,+(xpc^, ’)] {(xpt, )F(x, ’x^J] 




Figure 3.3. Binary decision diagram. The dashed and solid lines denote low-edges and high- 
edges, respectively. All edges are directed from top to bottom. 



and 

(X3 • X4) + {X 2 ■ X3 ■ X4), 

respectively. Note that the Boolean functions represented by the BDD are 
independent of variable xi as there is no internal node labelled with xi. 

Notation When we talk about a BDD F of an m-ary Boolean function f G 
Sn,m in the following, we mean a BDD which contains m distinguished nodes 
rp^i , . . . , rF,m with 4>{rF,i) = fifor each i G N^. We call them root nodes in 
the following. In the illustrations, we will mark them with pointers (see Figure 
3.4). If there is only one root node rp, then rp does not have any incoming 
edge and we use the notation f(F) = /. 

Because of the Boole-Shannon expansion, it is easy to see that for each Boolean 
function / G there exists a BDD F with root node rp representing /, i.e., 
4>{rp) = /. Thus, BDDs over Xn are a complete representation of Bn- Allow- 
ing more than one distinguished node in the BDDs results in representations of 
m-ary Boolean functions. More formally, for fixed natural numbers n and m, 
BDDs over Xn with m root nodes are a complete representation of Bn,m- 
Unfortunately, an efficient manipulation of BDDs is not possible for the general 
BDDs defined in Definifion 3.7. Therefore, we need resfricfions on fhe sfrucfure 
of fhe BDDs which were infroduced by Bryanf [20]. 

Definition 3.8 (variable order) Let vr G Ver{Nn) be any permuta- 
tion of set Nn. Permutation vr induces a linear order < on Xn which is defined 
by < x^Q) if and only if i < j. We say that the linear order < is a 
variable order. 
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Figure 3.4. Binary decision diagram with two root nodes. The corresponding pointers are 
given by the arrows without source node. It represents a Boolean function / £ B 4.2 described 
by the two Boolean formulae X4 + (x2 ■ X3 ■ X4') and (*3 • X4') + {x2 ■ X3 ■ X4). 



Definition 3.9 (reduced ordered binary decision diagrams) A 
BDD G = (y, E, index, label) is ordered if there exists a linear order < of the 
variables ofG such that index{u) < index{y) holds for each edge {u, v) G E 
with V being an internal node. If the BDD G is ordered, then fq and <g denote 
the corresponding permutation and variable order, respectively. 

An ordered BDD is reduced if there are no two different nodes v\ and V2 with 
f{vi) = (j){v2). 

A BDD which is ordered and reduced is called reduced ordered binary decision 
diagram ROBDD. 

Figure 3.5 illustrates the last definitions. The ordered binary decision diagram 
which is defined over fhe variables x\, X2, X3, and X4 and is ordered according 
I0X2<X1<X3<X4 represenls fhe Boolean function f G 84 described by 
fhe Boolean formula (xi • X3 • X4) + X2 - which is equivalenl lo fhe Boolean 
formula (xi • xf • X3 ■ X4) + X2- 

As shown in Figure 3.5, fhe infernal nodes of an ordered binary decision diagram 
G = {V, E, index, value) over can be graphically partitioned in n + 1 
levels. For j G N^, the jth level consists of those nodes labelled with x^^^yy 
The terminal nodes are at level n + 1. By this, we obtain a mapping levelc '■ 
V Nn+i which uniquely associates each node of V with its level. In the 
following, let levelf}{j) denote the nodes of the jth level of G. 

Note that the binary decision diagram shown in Figure 3.5 is not reduced. The 
three left nodes labelled with X4 represent the same Boolean function, namely 
the constant Boolean function 0. The left node labelled with X3 also describes 
the constant Boolean function 0. Thus, these four nodes can be identified wifh 
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Figure 3.5. Ordered binary decision diagram. The edges are directed from top to bottom. 



the terminal nodes labelled with 0 and we obtain the ordered binary decision 
diagram shown in Figure 3.6 which is reduced. 




Figure 3.6. ROBDD of the Boolean function f £ B 4 given by (xia; 3 a; 4 ) + X 2 - 



The reduction of ordered binary decision diagrams is based on only two local 
reduction rules. The main idea of the reduction rules is to remove redundancies 
from the ordered binary decision diagram, namely superfluous tests of variables 
and tests that are represented more than once. Both reduction rules are shown 
in Figures 3.7a and 3.7b. The reduction rule of Figure 3.7a can be applied to 
nodes v for which both outgoing edges lead to the same node w. It is obvious 
that we can redirect all edges leading to v to the node w and that we can delete 
V afterwards without changing the interpretation of the ordered binary decision 
diagram. This reduction rule is called deletion rule. The reduction rule shown 
in Figure 3.7b which is called merging rule is applicable if there are nodes v\ and 
V 2 with the same label, the same low-successor, and the same high-successor. 
Bryant [20] proved that using these two reduction rules is sufficient to obtain a 
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Figure 3. 7a. Deletion rule 




Figure 3. 7b. Merging rule 



canonical representation for each Boolean function and each variable ordering. 
Before proving this fact, let us introduce the notion of isomorphic BDDs which 
we are going to use in the proof of the canonicity of ROBDDs. 

Definition 3.10 (isomorphic binary decision diagrams) 

Let F\ = {V\, El, index i,valuei) and F2 = (V2, E2, index2, label2) be two 
BDDs. F\ and F2 are said to be isomorphic, if there is a bijective function 
a : Vi ^ V2 such that for any node v\ G Vi with a{vi) = V2 either both v\ 
and V2 are terminal nodes with valuei{vi) = value2{v2) or both v\ and V2 
are internal nodes with index\{vi) = index{v2), a{low{vi)) = low{v2), and 
a{high{vi)) = high{v2)- 

Theorem 3.2 Let vr G Ver(Nn) be any permutation ofNn and < the vari- 
able order induced by tt. Then, for each Boolean function f £ Bn there exists, 
up to isomorphy, only one ROBDD G over Xn of f such that G is ordered with 
respect to <. 

Proof: We follow the proof given in [20] and prove the canonicity of ROB- 
DDs by induction. First, we show that the ROBDD of a constant Boolean 
function is unique. Then, we assume that for each Boolean function which 
depends on at most iV > 0 Boolean variables there exists a unique ROBDD. 




Representation of Functions 



37 



Under this assumption, we prove that the ROBDD of a Boolean funetion which 
depends on + 1 Boolean variables is unique, too. 

Without loss of generality, we show that the ROBDD representation of the 
constant Boolean function 0 G .Bn is unique. Let G = (U, E, index, value) 
be a reduced ordered binary decision diagram of the Boolean function 0 . G 
has a root node re and consists of /c > 0 internal nodes. Each path starting 
from the root node re ends in a terminal node b with value{b) = 0 as 4 >{G) = 
4>{Tg) = 0- Thus, each terminal node of G has value 0 as label. As G is 
reduced, G contains only one terminal node. Now assume that k is greater than 
0, i.e., G contains at least one internal node. As G is a finite graph, it also 
contains at least one internal node v whose fom-edge and high-edge point to 
a terminal node. As there is only one terminal node both edges point to the 
same terminal node which is in contradiction to the condition that G is reduced. 
Thus, the ROBDD of the constant Boolean function 0 is unique. It consists of 
only one (terminal) node labelled with value 0. Analogously, we can prove that 
the ROBDD representation of the constant Boolean function 1 G B,i is unique. 

Now, let / G Bn be a Boolean function which depends on at least one Boolean 
variable. Thus, / is neither the constant Boolean function 0 nor the Boolean 
functionl. LetGi = {Vi, Ei,indexi,valuei),G2 = {V2, E2,index2,value2) 
be two ROBDDs of / which both are defined wifh respeef fo variable order <. 
As / is nol consfanf, bofh G\ and G2 confain af leasf one infernal node. Lef 
vq^ and rg-j be fhe roofs of Gi and G 2 , respeefively. Lef vq-^ be labelled wifh 
variable X{, i.e., index{rGi) = Xi, and ''^i^h variable Xj. As 

4 >iTGi) = f = (l^irGi), 

Ibis resulfs in 

/ = (xi ■ (!){low{rG^))) + {xi ■ (t){high{rGi))) 

and 

/ = {xj ■ (f){low{rG2))) + {xj ■ 4>{high{rG2))) ■ 

If Xi differs from Xj (wifhouf loss of generalify, we assume Xi < xj), fhen G\ 
represenfs a Boolean funclion which depends on Xi and G2 represenfs a Boolean 
funclion which does nol depend on x*. Thus, index{rG^) = index{rG 2 ] musl 
hold as bofh G\ and G2 represenf fhe same Boolean funclion /. Thus, fhe 
equalions 

/ = [xi ■ (!){low{rGi))) + {xi ■ 4>{high{rGi))) 
f = {xi ■ (/){low{rG 2 ))) + {xi ■ (pihighirG^))) 
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hold. By this, (/>(/oit;(rG'J) = (f){low{rG2)) ^'^'^ 4 >{high{rGi)) = (f){high{rG2)) 

follow. 

As (f){low{rGi)) is independent of variable Xi, the sub-ROBDDs rooted by 
low{rGi) and low{rG2) are isomorphie by induction, i.e., there exists a bi- 
jective function aiow from the nodes of low{rGi) onto the nodes of low{rG2) 
such that for any node v\ if criow{vi) = V2, then either both v\ and V2 are 
terminal nodes with valuei{vi) = value2{v2) or both vi and V2 are nonter- 
minal nodes with indexi{vi) = index2{v2), aiow{low{vi)) = low{v2), and 
o'iow{high{vi)) = high{v2)- As (p{high{rGi)) — 4 >{high{rG 2 )) holds as 
well, there is such a bijective function ahigh from the nodes of high{rGi) onto 
the nodes of high{rG2), too. 

Now, in order to prove that the ROBDDs Gi and G2 are isomorphic, we only 
have to prove that the function a from the nodes of G± onto the nodes of G2 
defined by 

{ rc2 > if ^ = rGi 

o'lowiv), if u is a node of the ROBDD rooted by low{rGi) 

ahigh{v ) ) if u is a node of the ROBDD rooted by high{rGx ) 

is well-defined and a bijecfive funcfion. 

Since for each node v C V\, which is confained in bofh fhe sub-ROBDD 
roofed by low{rGi) and fhe sub-ROBDD roofed by high{rGi), the equations 
(j){v) = <j){aiow{v)) and (j){v) = (piahighiv)) hold. Thus, aiow{v) = <Thigh{v) 
has to hold as well as G2 does not contain isomorphic sub-BDDs. This proves 
that function a is well-defined. 

Funcfion a is surjecfive because bofh aiow and a^igh are surjecfive. If is injec- 
five because ROBDD G± does nof confain isomorphic sub-BDDs. Thus, a is 
bijecfive. 

This complefes fhe proof. ■ 

Notation A5 there is only one terminal node labelled with value 0 in ROBDDs, 
we simply call it terminal node 0 . Analogously, the terminal node labelled with 
value 1 is called terminal node 1 . 

In fhe resfricfed form defined in Definifion 3.9 binary decision diagrams gained 
widespread application because of fheir canonicify and fheir efficiency in terms 
of time and space. Of course. Theorem 3.1 on page 25 also holds for ROB- 
DDs. But many Boolean functions which occur in practical applications can 
efficiently be represented by ROBBDs. 

3.2 Complexity of the essential operations 

Now, let us investigate the complexities of the essential operations for ROBDDs 
of single-output Boolean functions of Bn- 




Representation of Functions 



39 



3.2.1 Boolean operations 

All the unary and binary Boolean operations can efficiently be performed on 
ROBDDs. The common approach is to use the ternary if-then-else operator 
(ITE) defined by 

ITE{f,g,h) = {f-g) + {f'-h) 

which implemenfs if / then g else h. 

It is easy to see that 

f-g = ITE{f,g,0), 

f + g = ITE{f,l,g), 

and 

/' = ITi^(/, 0,1) 
hold. 

Thus, we have to present only the basic algorithm which implements the ITE- 
operator. The crucial idea of the algorithm is to use the Boole-Shannon decom- 
position of Boolean functions. By applying the Boole-Shannon decomposition 
it is easy to prove that 

ITE{f,g,h) = + 

(x • ITE{f^=Q,g^=Q,hx=o)) 

holds. The terminal cases of this recursion are 

ITE{l,g,h) = g, 

ITE{0,g,h) = h, 

ITE{f, 1,0) = f, 

and 

ITE{f,g,g) = g. 

This results in the algorithm shown in Eigure 3.8. 

The runtime of the algorithm is 0(|F| • |G| • |i^|). To reach this runtime, the 
algorithm works with two internal tables: 

■ The unique table is a dictionary of the Boolean functions represented by the 
nodes which belong to a reduced ordered binary decision diagram. With the 
unique table the applications check whether a node labelled with variable x 
and children tom and high already exists. In the ITE-algorithm, for example, 
the unique table is used by function EIND_OR_ADD_UNIQUE_TABEE. If 
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\TE{F,G,H) 

begin 

if TERMlNAL_CASE("nE",F,G,H, result) 

1 1 true iff the recursion can be aborted because of a special case 
then return result; 

fl; 

ifFINDJN_COMPUTED_TABLE("ITE",F,G,H,resr4f) 

// true iff 1TE(F,G,H) has already been computed 
then return result; 

fl; 

X = smallest variable occurring in F, G, and H ; 
high = ITE(Jf,:=i, Gj;=i, F/ 2 :=i); 
low = ITE(Fa;^o, Gx^o, H^^o); 

if high==low 
then result = high; 

else result = FIND_OR_ADD_UNIQUE_TABLE(a;,iow,/iipb); 
// returns the ROBDD of (x' ■ low) + {x ■ high) 

fl; 

INSERT_IN_COMPUTED_TABLE("ITE",F,G,Ff,res«lf); 
return result; 

end; 



Figure 3.8. The ITE-algorithm. Note that it is necessary that the variables of the three ROBDDs 
F, G, and H have to be ordered with respect to the same variable order. 



the function finds an existing node labelled with x which has low and high 
as 0-successor and 1 -successor, respectively, it outputs the address of this 
node which is interpreted as root node of the ROBDD just synthesized. 
Otherwise, a new node is created and added to the unique table. With this, 
the merging rule is implicitly applied already during the synthesis algorithm. 
The deletion rule is applied by the lower if-statement of the algorithm. Thus 
the BDD returned by the ITE-algorithm is always a reduced ordered BDD. 



■ The computed table is used to store already computed results of previous 
calls of the ITE-algorithm. Thus, the ITE-algorithm is called at most once 
for each combination of nodes in F, G, and H which results in the overall 
time complexity of 0(|F| • |G| • \H\) [43]. 
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Both tables are best implemented by hash tables. Since it is usual when analyz- 
ing the computational complexity of decision diagram algorithms we assume 
“ideal” hash tables for the unique table and the computed table, i.e., look-ups 
and insertions can be performed in constant time. (For more details, we refer 
to [56].) Thus, the binary operators can be efficiently executed if ROBDDs are 
used. 

Theorem 3.3 Let F and G be two ROBDDs of Boolean functions of Bn 
which are ordered with respect to the same variable order. Then, the ROBDD 
of 4>{F) ■ f{G) and the ROBDD of (j){F) + 4>{G) can be computed in time 
0{\F\ •|G'|). The ROBDD of (f){F)' can be computed in time 0{\F\). 

3.2.2 Cofactor computation 

Let us consider an ROBDD F over Xn of a Boolean function f ^ Bn and 
any variable Xi G Xn- We have to redirect all edges leading to nodes labelled 
with Xi to the c-successor of these nodes in order to compute the cofactor 
fxi=c [47]. As, the resulting ordered binary decision diagram is not necessarily 
reduced, a reduction algorithm has to be applied to the result. Both steps can 
be performed in time 0{\F\). Before the transformation, a copy of ROBDD F 
has to be created in order to conserve the representation of /. 

Cofactor computation is rather trivial if Xi is the first variable of the variable 
order of ROBDD F, i.e., xi = Let rp be the root node of F, then 

either rp is not labelled with Xi or it is labelled with Xi. In the first case, / is 
independent of Xi, i.e., / = fxi=i = fxi=o- In the second case, low{rp) and 
high{rp) are the ROBDDs of the negative cofactor fxi=o and positive cofactor 
fxi=i, respectively. Thus, in this special case the cofactor computation has 
constant runtime. It has to return the address of low{rp) and high{rp), only. 

3.2.3 Substitution by functions 

Given the ROBDDs F and G of two Boolean functions / and g of Bn defined 
over fhe same sef Xn of variables, fhe compulation of fxi=g can be solved easily 
by using fhe if-lhen-else operalor ITE. Remember lhal / can be decomposed 
as 



/ = {Xi ■ fxi=o) + (Xi ■ fxi=l)- 

Bolh cofaclors fxi=o and fxi=i are independenl of Xi. Thus 

ifxi=g) — id ■ fxi=o) id ■ fxi = l) 

holds. The corresponding ROBDD is compuled by 



ITE{G,Fx,=i,Fx,=o) 
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where Fx^=l and Fx^=o denote the ROBDDs of the positive and negative eofac- 
tor of / with respeet to Xi, respectively. The time complexity of this operation 
isO(|GMF|2). 

3.2.4 Satisfiability and tautology check 

Both, the satisfiability check and tautology check applied to a ROBDD F of a 
Boolean function of Bn can be performed in constant time. Just check if the 
ROBDD F consists of terminal node 0 or terminal node 1 only. 

3.2.5 Satisfy count computation 

Let F be the ROBDD over Xn of a Boolean function f C Bn and rp the root 
node of F, the satisfy count |/| of / can be computed by a bottom- up algorithm 
which computes the number of paths | w \ from each node w to the terminal node 
li which is labelled with 1. Actually, it computes the number of paths from 
each node w to terminal node l± in the complete BDD which is obtained when 
applying in the opposite direction the deletion rule to the ROBDD F such that 
each variable is encountered exactly once on each path from root node rp to a 
terminal node. 

There is no path from the terminal node Iq labelled with 0 to fi and there is 
exactly one path from li toll. Therefore, |/o| and |fi| are 0 and 1, respectively. 
For each internal node w of F with successors wq and wi, the number of paths 
|u;| from w to li is given by 

|t(;| = |tt;g| . _j_ 

Then, the satisfy count |/| of / is given by 

I/I = \rp\ • 

The complexity of this algorithm in terms of time is 0(|F|). It is summarized 
in Figure 3.9. 

3.2.6 ROBDD miuimizatiou 

The efficiency of the algorithms just considered strongly depends on the size of 
the ROBDD representations of the Boolean functions under consideration — 
the larger the ROBDD representations the more costly the procedures. In accor- 
dance to this fact, many researchers have developed algorithms and heuristics 
for ROBDD minimization [26, 41, 44, 50, 51, 52, 66, 68, 93, 102, 103, 114, 
115, 125, 128, 132]. 

Note that ROBDDs are a canonical representation of Boolean functions for a 
fixed variable order only. If the variable order is changed, then the ROBDDs 
change in general as well. In many cases, the choice of the variable order is 
crucial as the size of the ROBDDs can strongly depend on the variable order 
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SATISFY_COUNT(f) 

begin 

Ki|=0;Ko|=l; 

for j from n downto 1 
do 

forall node w of the jth level 

do 

od; 

od; 

return |r| • 

end; 



Figure 3.9. A linear bottom-up algorithm for satisfy count computation. 

chosen. Figure 3.10, which is taken from [20], illustrates this remark. The 
Boolean function which is defined by the Boolean formula 

(xi • X 2 ) + (X3 • X 4 ) + (X5 • Xe) 

is represented twice, once by an ROBDD with respect to the variable order 

X1<X2<X3<X4<X5< Xq 

and once by an ROBDD with respect to the variable order 

X1<X3<X5<X2<X4< Xq. 

The ROBDDs consist of 6 and 14 internal nodes, respectively. It is straight- 
forward to generalize this example. For a fixed n G N, consider fhe Boolean 
funclion G B2n defined by fhe Boolean formula 

(Xi • X 2 ) + . . . + (X2j-1 • X2i) + . . . + {X2n-1 ' X2n)- 

The ROBDD of wifh respecf fo variable order 

< X2 < . . . < X2n-l < X2n 

consisfs of 2n infernal nodes, whereas fhe ROBDD of wifh respecf fo 
variable order 



Xi < X 3 < . . . < X2n-3 < X2n-l < X2 < X4 < . . . < X2n-1 < X2n 
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consists of at least 2” nodes. The latter statement is followed by the fact that 
there must be at least as many nodes as there are different assignments to the 
variables xi, X 3 , . . . , X 2 i~i, • • • , X 2 n-i- More examples where the choice of the 
variable order determines whether the number of nodes is linear or exponential 
are presented in [147]. 




Figure 3.10. ROBDDs of {xi ■ *2) + (xs ■ X 4 ) + (xs • Xq) wrt. different variable orders. 



Unfortunately, the ROBDD minimization problem is NP-hard. Bollig, Savicky, 
and Wegener [11, 12] showed that the problem 

Given an ROBDD of a Boolean function / G Bn, 

compute a minimum-sized ROBDD of /, i.e., compute a variable order 
which induces a ROBDD of / with a minimum number of internal nodes 

is NP-hard. Meinel [101] proved that the decision problem 

Given a Boolean Network AA of a Boolean function f C Bn and a 
permutation vr G 'Per(Nn), 

decide whether the size of the ROBDD of / induced by tt is minimum 
is NP-hard as well. 

Thus, for both situations, the situation that the Boolean function is represented 
by a circuit and the situation that it is already represented by an ROBDD, the 
optimization problem of finding an optimal variable order can only be handled 
by heuristics, in general. 

Since the subject of ROBDD minimization has been discussed at full length 
in many publications, already, we do not address the issue of finding optimal 
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variable orders in this book. We refer to the surveys given in [42, 43, 47] and 
briefly present the sifting algorithm introdueed by Rudell in 1993 [125] only. 
Most of the heuristies presented in literature are based on Rudell’s idea. 

Given an ROBDD of a Boolean function, the sifting algorithm selects a variable 
Xi and searches for the position of this variable which minimizes the ROBDD 
size. The positions of the rest of the variables do not change. This process 
is iterated until every variable is sifted once. The local minimization step is 
realized by exchanging neighboring variables, i.e., variable Xi is first pushed to 
the end of the variable order by exchanging it with the following variables with 
respect to the variable order, step by step. Then, it is pushed to the first position 
of the variable order. Finally, it is moved to its (locally) optimal position. 

The basic exchange operation is a local operation. The goal of the operation 
applied to the variables and of an ROBDD F is to compute the 

ROBDD G of 4>{F) with 

( TtpU), ify0{i,i + l} 

TtcU) = I ifj = i + l 

[ TTF{i + 1), if 7 = i. 

Now, look at a node m in F which is labelled with and which has at 

least one successor labelled with It follows directly from the Boole- 

Shannon decomposition that the exchange operation is correctly performed by 
redirecting the corresponding low- and high-edges as shown in Figures 3.1 la- 
3.1 Ic. Thus, the ROBDD of F remains unchanged above variable and 

below variable For the ith and {i + l)th level of G, it can be proven 

that 

1/2 • \levelf^{i + 1)| < \levelf} {i)\ < \levelf^{i)\ -|- \levelf^{i + 1)| 



and 

1 < \level'^^{i -1-1)1 < 2 • \levelf^{i)\ 

hold [44] as 4>{F) depends on both variables and If the nodes 

labelled with can be traversed in linear time, this algorithm is very 

efficient. The runtime is linear with respect to the number of nodes labelled 

withx^^(i). 

3.3 Generalizations of Binary Decision Diagrams 

There is quite a large number of extensions of the basic ROBDD concept to rep- 
resent Boolean functions of Bn which have been proposed in literature. These 
investigations were motivated by the fact that, although ROBDDs are more 
effective than other representations of Boolean functions, there are Boolean 
functions occuring in practical applications for which ROBDDs are too large to 
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A B C D A 



C B D 



Figure 3.11a. Exchanging of neighboring variables: first case. A, B, C, and D denote sub- 
BDDs. The circles of the internal nodes have been omitted for a better graphical representation. 



B 




C D 



> 






BCD 



Figure 3.11b. Exchanging of neighboring variables: second case 




Figure 3.1 Ic. Exchanging of neighboring variables: third case 



be stored in eomputer memory. For example, it is well-known that ROBDDs of 
the multiplieation of two n-bit integers have at least 2"^/® nodes [20]. In this see- 
tion, we briefly deal with two of these extensions, ROBDDs with complemented 
edges and decision diagrams based on different decomposition rules, namely 
functional and Kronecker functional decision diagrams. Further variations of 
decision diagrams for Boolean functions can be found in [21, 126]. Section 4 
goes into a further generalization of BDDs, binary moment diagrams, which is 
a representation of pseudo-Boolean functions. 
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3.3.1 ROBDDs with complemented edges 

In some implementations a slightly different version of ROBDDs, namely ROB- 
DDs with eomplemented edges, is used. Complemented edges were suggested 
by [3, 15, 104]. On each edge (and each pointer to a root node) there may be a 
complement attribute. Such a complemented edge indicates that the interpreta- 
tion of the node the edge points at is complemented when the node is reached 
via this edge. 

ROBDDs with complement edges where complement attributes only occur on 
high-edges are a canonical representation of Boolean functions, too. Note, that 
the reduction rules have to be changed slightly in a straightforward manner and 
complement attributes on low-edges can be easily removed by a bottom-up pass 
through the ROBDD. 

The number of nodes of ROBDDs with complemented edges is usually smaller 
than the number of nodes in ROBDDs without complemented edges - the size 
of ROBDDs with complemented edges can be half the size of the correspond- 
ing ROBDD without complemented edges. The asymptotical complexity of the 
essential operations remains unaffected. However the description of the algo- 
rithms are more complicated for ROBDDs with complemented edges. In order 
to avoid to become entangled in technical details, we use ROBDDs without 
complemented edges throughout this book. 

3.3.2 Functional Decision Diagrams 

In [72, 73], ordered functional decision diagrams (FDD) have been proposed 
as representation of Boolean functions. They are syntactically defined as or- 
dered BDDs but the Shannon decomposition is replaced by the positive Davio 
decomposition 

f = fxi=o © {Xi ■ df/dxi). 

More formally, let v be an internal node labelled with Xi, then the Boolean 
function 

4>{v) = 4>{low{v)) © {xi ■ 4>{high{v))) 

is represented at v. The Boolean function represented by an ordered FDD can 
be described using activated paths [58], i.e., the Boolean function evaluates to 1 
with respect to an assignment a G {0, 1}” if and only if there is an odd number 
of activated paths from the root node to the terminal node 1 with respect to a. 

Definition 3.11 (activated paths in fdds) Let G be an FDD over 
Xn- Let V be an internal node of G labelled with Xi and e := {v,w) be an 
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outgoing edge of v. Edge e is called activated with respect to an assignment 
a € {0, 1}” if either w = low{v) or w = high{v) and a* = 1. This can be 
notified by the activation condition activate{e) ofe which is defined by 

activate(e) = I ^ , 

[ Xj , ij w = high[v). 

A path p = (ei, 62, • . . , e^) is called activated with respect to a, if every edge 
ofp is activated with respect to a , i.e., the activation condition is described by 

h 

activate{p) = '^^activate{ej). 
i=i 

Symbol H denotes the iterated logical-and operator. 




Figure 3.12. FDD based on positive Davio decomposition of the Boolean function / £ Z?4 
given by (0:10:3*4) + X2- The path which starts at the root node and which consists of low- 
edges only is always activated. Other paths can be activated dependent on the assignment to 
the variables. For example, the assignment (1, 0, 0, 0) to (0:1, 0:2, 0:3, 0:4) induces two activated 
paths in total. 



For illustration we refer to Figure 3.12 which shows an FDD for the Boolean 
function f C given by {x\ ■ X3 ■ X4) + X2. Assuming that the low-successor 
and the high-successor of the root represent the Boolean functions given by the 
Boolean formulae xi -X 3 -X 4 and (xi • X 3 • X 4 )^ respectively, the root represents 
the Boolean function given by 

(Xl • X3 • X4) © (X 2 • (Xl • X3 • X4)') = (Xl • X3 • X4) + X2 
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as for all a,b £ {0, 1} the equation a (B {b ■ a') = a + b holds. 

Besides the Boole-Shannon expansion and the positive Davio decomposition, 
there is a third decomposition, the negative Davio decomposition 

/ = fxi=i © {Xi ■ df/dxi). 

Of course, there is also a variant of ordered FDDs based on the negative Davio 
decomposition where the Boolean function (f){v) represented by an internal node 
V is given by 

(f{v) = 4>{low{y)) © {xi ■ 4>{high{v))). 

In the previous section we have introduced two reduction rules to be able to 
remove redundancy in ROBDDs. While the merging rule for ordered BDDs 
can be applied to ordered FDDs as well, we need different deletion rules for 
ordered Davio FDDs. Here, an internal node v is superfluous, if the high-edge 
of V points to the terminal node 0. This is because of 

(f{v) = (p{low{v)) © {xj ■ 4>{high{v))) 

= 4>{low{v)) © {x\ ■ 0) 

= 4>{low{v)) <S)0) 

= (f){low{v)) 

for e G {0, 1}. Reduced ordered FDDs are a canonical representation of 
Boolean functions. 

In [40, 46], ordered BDDs, ordered positive Davio FDDs, and ordered negative 
Davio FDDs are combined to a new variant called ordered Kronecker func- 
tional decision diagrams (KFDD). The main idea is that at different internal 
nodes different decompositions may be chosen with the constraint that the de- 
compositions of internal nodes labelled with the same variable are the same. 
That is, the decomposition types of the internal nodes can be described by a 
mapping d : ^ {S,pD, nD}. S, pD, and pD denote the Boole-Shannon 

decomposition, the positive Davio decomposition, and the negative Davio de- 
composition, respectively. The Boolean function represented by an ordered 
KFDD can be described using activated paths as well [58]. 

Definition 3.12 (activated paths in kfdds) Let G be a KFDD over 
Xn, V an internal node of G labelled with Xi and e := {v,w) an outgoing 
edge of V. The activation condition activate{e) of edge e can be described as 
follows: 

1 , ifw = low{v) and d{xi) £ {pD,nD} 

Xi , if either w = low{v) and d{xi) = S 
or w = high{v) and d{xi) = nD. 

Xi , ifw = high{v) and d{xi) £ {S,pD}. 



activate{e) = < 
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As above, the activation condition of a path p = (ei, 62, . . . , Ch) is described 
by 

h 

activate{p) = '^^activate{ej). 
j=i 

Theorem 3.4 ([58]) Let G be a KFDD of a Boolean function f C Bn and 
P the set of the paths from the root node of G to the terminal node 1. Then 

activate{p) 

P&P 

is a description of f. 

Reduced ordered KFDDs are a canonical representation of Boolean functions 
as well. Of course, as ROBDDs and reduced ordered Davio FDDs are reduced 
ordered KFDDs, the size of the minimum-sized reduced ordered KFDD of a 
Boolean function / is not larger than the minimum of the sizes of ordered BDDs 
and ordered Davio FDDs of /. However, the problem with reduced ordered 
FDDs and KFDDs is that the synthesis operations • and + can exponentially 
blow up the size of the decision diagrams [6, 40] while the synthesis operations 
for ROBDDs can be performed by polynomial time algorithms. 

In [5], Becker et.al. showed that when considering canonical representations 
with complemented edges there is no further decomposition type besides Boole- 
Shannon, positive Davio, and negative Davio that can reduce the size of ordered 
decision diagrams. 

4. Representations of pseudo-Boolean functions 

In this section, we introduce how to represent pseudo-Boolean functions by 
multiplicative binary moment diagrams (*BMDs). *BMDs have been intro- 
duced by Bryant and Chen [22, 23]. They incorporate two novel features 
compared to ROBDDs. They are based on a decomposition of a linear function 
in terms to its moments. Furthermore, they have weights associated with their 
edges which are combined multiplicatively. These features are derived from 
the Davio decomposition used by FDDs and the additive edge weights used in 
so-called Edge-Valued BDDs [84]. 

*BMDs have been motivated by the necessity to represent pseudo-Boolean 
functions / G Zn- As already shown in Theorem 2.3, such functions can be 
decomposed by moment decomposition with respect to a variable X{ which is 
defined as 

/ = fxi=0 + Xi ■ f±i, 
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where • and + denote integer multiplieation^ and integer addition^, respectively. 
Note, that Xi is interpreted here as an integer-valued function, having the image 
of zero and one. The negative cofactor fxi=o is called constant moment as it is 
added independently of the assignment of Xi. f±i which is given by df /dxi is 
called linear moment of / with respect to variable Xi. 

4.1 Basic definitions 

We start with the definition of binary moment diagrams before descending to 
multiplicative binary decision diagrams. The structure of ordered binary mo- 
ment diagrams is similar to that of ordered BDDs, except that the terminal nodes 
are labelled with integer values and they are based on moment decomposition. 

Definition 3.13 (binary moment diagram) A binary moment diagram 
over Xn is a rooted, directed, acyclic graph G = {V, E, index, value). An 
internal node v £ V has as label a variable index{v) £ Xn and exactly 
two successors low{v) and high{v). The edges pointing to the successors are 
named low-edge, orO-edge, and high-edge, or 1-edge, respectively. The succes- 
sors themselves are named low-successor, or 0-successor, and high-successor, 
or 1-successor, respectively. The terminal nodes have no successor and are 
labelled with integer values. 

A binary moment diagram is called ordered if the variables appear in the same 
order on every path from the root to the terminal nodes. 

Definition 3.14 (interpretation of binary moment diagrams) 
LetG = (y, G , index , value) be a binary moment diagram over Xn and v £ V 
be a node of G. The pseudo— Boolean function 4>{v) £ Zn which is computed 
at node v is defined as follows. 

■ Ifv is a terminal node, then 4>{f) is the constant pseudo— Boolean function 
with 4>{f){a) = value{v) for each a £ {0, 1}*^. 

■ Ifv is an internal node and index{v) = Xi then 

(j){v) = 4>{low{v)) + Xi ■ (j){high{v)) 

where • and + denote integer multiplication and integer addition, respec- 
tively. 

Once again, the concept of activated paths can be used in order to evaluate a 
binary moment diagram. We can apply the same definition as for FDDs (see 
Definition 3.11). The evaluation process adds the values of the terminal nodes 
of the activated paths which start at the root node and end at terminal nodes. 
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Theorem 3.5 Let G be abinary moment diagram of a pseudo-Boolean func- 
tion f £ Zn and P the set of the paths which start at the root node vq ofG and 
end at terminal nodes. Then 

activate{p) • value{p) 

P&P 

is a description of f. value{p) denotes the value of the terminal node of path 

p. 

In the following, we consider reduced ordered binary moment diagrams only. 
We call them BMDs, as they are a canonical representation of pseudo-Boolean 
functions. 

Definition 3.15 (reduced ordered binary moment diagram) 
An ordered binary moment diagram is called reduced if there are no isomorphic 
subgraphs and unnecessary nodes in the binary moment diagram, i.e., there are 
no two distinct nodes that are root nodes of isomorphic subgraphs and there is 
no internal node with the high-edge pointing to a terminal node labelled with 
value 0. 

BMD is going to be used as short hand for reduced ordered binary moment 
diagram, in the following. 

Multiplicative binary moment diagrams (*BMD) have the same structure as 
BMDs, except that a *BMD makes use of a common integer factor in the 
constant and linear moment. It extracts this factor and places it as a so-called 
edge-weight on the incoming edge to the node. In this context, we interpret 
the pointer to the root node of a *BMD as an edge. Let us denote the weight 
of an edge e by Wg. Then, a *BMD F with root node rp labelled with Xi and 
weight iop on the incoming edge of ri? represents the pseudo-Boolean function 
f{uip, rp) defined by 

, rp ) UJf ' (^r p .loin{r p)) 5 lowivF )) “t” Xi • , highlvF )) ) . 

If rp is a terminal node, then f{ujp, rp) is the constant function defined by 
cj){ujF,rF) = u>F ■ valuepF). 

We denofe (j){(jjp,rp) by (j){F), in fhe following. 

To make fhe *BMD-represenfafion canonical, some furfher resfricfions are nec- 
essary. These resfricfions are called normalizing rules. 

1 . A *BMD may confain af mosf fwo terminal nodes which are labelled with 
value 0 and value 1, respectively. We call them terminal node 0 and terminal 
node 1, respectively. 
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2. The weights of all the edges must be different from 0. 

3. If an edge points to the terminal node 0, its weight must be 1. If a low-edge 
points to terminal node 0, the weight of the corresponding high-edge has to 
be 1, too. 

4. The weights of all the low-edges must be nonnegative values. 

5. The weights of the outgoing edges of an internal node must have greatest 
common divisor 1, i.e., 



^(v,high{v))) 1 

must hold for each internal node v. 

6. A *BMD has to be reduced, i.e., there must not be two distinct nodes that 
are root nodes of isomorphic subgraphs and there must not be an internal 
node with the high-edge pointing to terminal node 0. 

For illustration, consider Figure 3.13. Edge-weights are written in square boxes 
on the corresponding edges. Edges without square boxes have edge-weight 1. 
Eor a better understanding, we have inserted the pseudo-Boolean functions 
represented at the nodes of the *BMD into the figure. 




Figure 3.13. *BMD of the function • *3 -I- 2 • *2 • sr -f 3 • • X 4 — 6 • a:i • 0:3 • *4 

Now, before proving canonicity, let us show the following lemma which we are 
going to apply throughout the proof of Theorem 3.6. 

Lemma 3.1 Let f be a pseudo— Boolean function with f 0, F be a nor- 
malized *BMD of f with root note rp, and d > 2 a natural number. If d is a 







54 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



divisor of f, i.e., f = d- g for some adequate pseudo— Boolean function g, then 
the weight ojp of the incoming edge of rp is a multiple of d. 

Proof: Let us prove the lemma by induction. 

First, we assume that is a terminal node, i.e., / is a constant pseudo-Boolean 
function c C Zn defined by c(a) = c for all a G {0, 1}”, c G Z. Because of 
the first normalizing rule, the weight uip c which proves the statement for 
this case. 

Now, we assume that both successors low{rp) and high{rp) are terminal nodes, 
i.e.,/ = ujF-{uj{rp,iow{rp))+<^{rF,high{rF))'^i)^^^^i = index{rp). Ifdisnot 
a divisor of uip, the greatest common divisor of 00[rF,iow{rp)) <x^j.F,high{rp)) 

is greater than 1 , which is in contraction to the fifth normalizing rule. 

Now, let us consider the general case. Assume that d is not a divisor of uop, then 
there is a constant 6 > 2 which is a divisor of both 4 ’{co(rF,iow{rp ))7 low{rp)) 
and 4>{u){rp,high{rF))7 ^wh{rp)). By induction, it follows that 5 is a divisor of 
both edge weights u;(rF,iow{rp)) and ooQp^highGp))- This contradicts the fact 
that F meets the fifth normalizing rule as > 2. ■ 

Theorem 3.6 Let vr G 'Per(Nn) be any permutation ofNn- Then for each 
pseudo— Boolean function f G Zn there exists, up to isomorphy, only one *BMD 
F over which is ordered with respect to vr and which meets the normalizing 
rules. 

Proof: Analogously to Theorem 3.2, we prove the canonicity of *BMDs by 
induction. 

Let c be an integer and Gc a *BMD of the constant pseudo-Boolean function 
c £ Zn defined by c(a) = c for all a G {0, l}'^, which meefs fhe normalizing 
rules. Now, assume fhaf Gc confains an infernal node v. Then, node v is 
labelled wifh a variable Xi G However, funclion c is independenf of Xi. 
Thus, fhe linear momenf of c wifh respecf fo Xi is funclion 0 and fhe high-edge 
of V poinls lo terminal node 0 . This is a conlradicfion lo fhe facl fhaf Gc meefs 
fhe Iasi normalizing rule. Therefore, Gc consisls of one terminal node t. If 
c = 0, Ihen t is terminal node 0 because of fhe second normalizing rule. The 
weighl of fhe incoming pointer is 1 because of fhe Ihird rule. If c 7 ^ 0, Ihen t 
is terminal node 1 and fhe weighl of fhe incoming poinler has lo be c because 
of fhe firsl normalizing rule. This proves fhaf Ihere is only one *BMD of fhe 
conslanl pseudo-Boolean funclion c. 

Now, lei f £ Znhe a pseudo-Boolean funclion which depends on al leasl one 
Boolean variable. Lei G and FI be Iwo normalized *BMDs of / wilh respecl 
lo Ihe variable order induced by vr. Furlhermore, lei re and rp be Ihe rool 
nodes of G and H, respectively. As G and H represenl Ihe same pseudo- 
Boolean function / and neilher Ihe high-edge of tq nor Ihe high-edge of rp 
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points to terminal node 0, / depends on both variable index{rG) and variable 
index{rH)- It follows that index{rG) = index{rH) holds because G and H 
are defined with respect to the same variable order. As the constant moment 
and the linear moment of a pseudo-Boolean function with respect to a variable 
is uniquely defined, fhe equafions 

fijXG ' jIowGq)) 1 ioW ,low{r ^)) 5 iow{^V i i 

and 

fijXG ' ,high(v(^)) 5 ,high(r h)) 5 high(^TH )) 

hold, loo. 

By induction, Ihere is, up lo isomorphy, only one *BMD of 

fijXG ' jIowGq)) ^ lowi^Tcif 

which is defined wilh respecl lo vr and meels fhe normalizing rules. Analo- 
gously, Ihere is, up lo isomorphy, exaclly one such *BMD of 

fijXG ' ,h^3h(rG)) ^ 

as well. 

Because of Lemma 3. 1 and fhe facl lhal bolh *BMD G and *BMD H meel fhe 
normalizing rules, fhe Iwo equations 

(jJG ' ^(rQ ,lo'w{rQ)) ' ^(r[j,lo'w{r}j)) 

LOG ' ,high{rQ)) LOff ' LO(^r ,high{rfj)) 

hold. 

Because of fhe fourlh reduction rule, bolh weighls 0J(^^g,Iow (ra ) ) ^(rn ,iow(rH)) 

are nonnegative. Now assume, lhal Ihe weighls oj(^rc,iow(rc)) ^(rH,iow{rH)) 
differ. Il follows lhal log and loh also differ because of Ihe Iwo equations 
above. However, Ihis is in conlradiclion lo Ihe facl lhal Ihe conslanl and linear 
momenl of / wilh respecl lo a variable is well-defined and Lemma 3.1. Thus, 
Ihe equations 

log = LOh, 

LO(^tq ,low(^rQ)) ^{th 
^{rQ,high{rQ)) )) 

hold and Ihe Iheorem follows analogously lo Ihe proof of Theorem 3.2. ■ 

For Ihe sake of clarify, Ihe graphical represenlalions of *BMDs shown in Ihe 
following illuslralions have more lhan Iwo terminal nodes, in general. However, 
il is slraighlforward lo Iransform Ihem into represenlalions which meel Ihe 
normalizing rules (see Section 4.2). 

To demonslrale Ihe difference belween BMDs and *BMDs, we refer to Figure 
3. 14a and Figure 3. 14b which show Ihe BMD and Ihe *BMD of Ihe 3-bil integer 
multiplier, i.e., Ihe pseudo-Boolean function 
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Figure 3.14a. BMD of the 3-bit integer 
multiplier x ■ y 




Figure 3.14b. *BMD of the 3-bit integer 
multiplier x ■ y 



Note that the representational power of *BMDs is greater than that of BMDs 
[4, 22]. The minimum sized *BMD of a pseudo-Boolean function / never 
contains more nodes than a BMD representation of /. Additionally, there is an 
exponential gap between both decision diagrams, as the *BMD representation 
of the pseudo-Boolean function 2* : {0, 1}” ^ Z defined by 

V(ao, . . . , an-i) G {0, 1}” : 2^{ao, ..., a„_i) = 

consists of a linear number of nodes whereas a BMD representation contains 
an exponential number of nodes. Figure 3.15a and Figure 3.15b show both 
representation forn = 3. It follows that with respect to efficient representations 
it is advantageous to use *BMDs. 

4.2 Complexity of the essential operations 

Now, let us investigate the complexities of the essential operations for *BMDs. 
We describe key algorithms for constructing and manipulating *BMDs. The 
algorithms have a similar style to their counterparts for ROBDDs. Unlike op- 
erations on ROBDDs where the complexities are at worst polynomial in the 
argument sizes, most operations on *BMDs potentially have exponential com- 
plexity. However, Bryant and Chen [22] showed that normally these exponential 
cases do not arise in applications. 
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Figure 3.15a. BMD of function 2 Figure 3.15b. *BMD of function 2“^ 



4.2.1 Maintaining canonicity 

Given an ordered multiplieative binary moment diagram which does not meet 
the normalizing rules given above, we can transform it in a *BMD which fulfills 
the properties by a bottom-up pass through the diagram. For each node v, we 
first ask whether n is a terminal node or an internal node. 

■ If n is a terminal node labelled with a value c 0 {0, 1}, each incoming 
edge e of n is redirected to terminal node 1. Additionally, the weight is 
multiplied by value c. 

■ If u is an internal node, we apply the following transformation steps: 

1. If the weight of the low-edge e of u is value 0, then edge e is redirected 
to terminal node 0. 

2. If the low-edge e points to terminal node 0, then the weight of e is set 
to 1. Additionally, the weight of the incoming edges of v are multiplied 
by the weight of the high-edge of v which is finally sef fo 1, loo. 

3. If Ihe weighl of fhe low-edge e of u is a negalive value, fhe weighls 
of fhe incoming edges of v, fhe weighl of fhe low-edge of v, and fhe 
weigh! of fhe high-edge of v are multiplied by —1. 

4. Compule fhe grealesl common divisor 

■ ?p^{.^{y3cyw(v))i‘^(v,high{v))') 






58 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



of the weights of the low- and high-edge of v. Multiply the weights of 
the incoming edges of v by and divide the weights of the outgoing 
edges of vhy 

5. Apply the two reduction rules, the merging rule and the deletion rule. 

Thus, the canonical *BMD representation of a pseudo-Boolean function / 
which is given by a (non-canonical) ordered multiplicative binary moment di- 
agram F can be computed in time 0{\F\). 

4,2,2 Integer addition 

Since the co-domain of pseudo-Boolean functions is the set of the integers, 
arithmetical operations applied to *BMDs play a central role. We concen- 
trate on integer addition and integer multiplication as they are used by formal 
verification methods. 

We start with integer addition for BMDs. The basic algorithm for integer 
addition of BMDs which is shown in Figure 3.16 follows the ITE- algorithms 
for ROBDDs of Figure 3.8. It is based on the property that taking moments of 
pseudo-Boolean functions commutes with integer addition, i.e., 

f + 9 = {fxi=o + Xi- fi^) + + Xi- g±^) 

— ifxi=0 + 9xi=o) + Xi ■ {fxi + 9xi) 

holds for all pseudo-Boolean functions / and g which are defined over fhe same 
sef Xn of variables. 

Since in fhe algorifhm shown in Figure 3.16 fhe smallest variable x occurring 
in F and G is faken in each iferafion, fhe compufafion of fhe BMDs Fx=q 
and Fx of fhe consfanf momenf (j){F)^^Q and linear momenf 4>{F)x of (f>{F), 
respecfively, can be performed in linear fime (see Section 4.2.5). 

Because of fhe compufed fable which is used by fhe ADD- algorifhm, fhere are 
no more calls fhan pairs consisfing of one node of F and one node of G. Thus, 
fhe overall algorifhm for infeger addition of fwo BMDs has worsf case time 
complexity 0{\F\ • |G|). 

The algorithm for integer addition of *BMDs is slightly more complicated 
because of the edge weights. Fet F and G be two *BMDs with root nodes rp 
and tg- Fet us denote the weights of the incoming edges oirp and VQ^y ujp 
and (jjQ. Then, the following recursion holds 

0(F) + 0(G) 

= 0(cvf, rp) -f <j>{xG,rG) 

CJf ' ,low(rp)) ^ lowlvp^^ Xi • 0(cV^7-p J J , hiQh{v p^^^-\- 

XG ' (0(^(rQ ,low(rQ)) , low l^G )) Xi ' (j){w ) ) ) 

UJp • ,iow(rp)) , loW^Tp^^ WG ' ^l^(rQ,low(rQ)) , IowItq^^-\- 
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ADD(F,G) 

begin 

ifTERMINAL_CASE("ADD",F,G,resM^i) 
then return result; 

fl; 

ifFINDJN_COMPUTED_TABLE("ADD",F,G,resMZt) 

// true iff ADD(_F,G) has already been computed 
then return result; 

fl; 

X = smallest variable occurring in F and G; 
low = ADD(_Fa;=o, Ga;=o); 
high = ADD(Fi,Gi); 

if high~0 
then result = low; 

else result = FIND_OR_ADD_UNIQUE_TABLE(a;,low,/iigii); 

fl; 

INSERT_IN_COMPUTED_TABLE("ADD",F’,G, result); 
return result; 

end; 



Figure 3.16. Algorithm for adding two BMDs F and G ordered wit. the same variable order. 



' {^F ' f{^(rp,high(rp))^ l^igh{r “F f , higher q)) ^ ) ) ) 

f(.^F ' ^ (^r p .tow{r p)) ^ lowi^T pf “F ,to'w(rQ)) i loW (^TQ ) )“F 

Xi • (^fiuF ' ^(rp ,high(rp)) ! highir pf) “F f(WG ' ^ {rQ , higher q)) i 

Thus, the number of calls of the corresponding ADD procedure is not restricted 
anymore by the product of the number of nodes but by the product of the 
number of paths in the *BMDs under consideration on which the edge weights 
are ’’gathered”. The number of paths of a *BMD can be exponential in the size 
of the operands. 

4.2.3 Integer multiplication 

Integer multiplication applied to two BMDs F and G representing the pseudo- 
Boolean functions / and g is based on the recursive equation 

f ' 9 ~ ifxi=o + Xi • fx^ • {9xi=o + ■ g±i) 

— fxi=0 ■ 9xi=0 T Xi ■ {fxi=0 ■ 9xi + fxi ■ 9xi=0 + fxi ■ 9xi)- 
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The corresponding algorithm is shown in Figure 3.17. 



MUL(F,G) 

begin 

ifTERMINAL_CASE("MUL",F,G,resMiO 
then return result', 

fl; 

ifEINDJN_COMPUTED_TABLE("MUL",F,G,resMit) 
// true iff MUL(F,G) has already been computed 
then return result', 

fl; 

X = smallest variable occurring in F and G; 

£1 = MUL(F,^o, G,=o); 

F2 = MUL(f;^o,Gi); 

F3 = MUL(fi,G,=o); 

F4 = MUL(fi,Gi); 

E5 = ADD(E2, E3)', 

E6 = ADD(F5, EVy, 



itE6==0 
then result = El', 

else result = FIND.OR-ADD.UNIQUE.TABLEitc.FTFe); 

fl; 

INSERT_IN_COMPUTED _TABLE("MUL", F,G, result); 

return result', 

end; 



Figure 3.17. Algorithm for multiplying two BMDs F and G. 



The algorithm for *BMDs is a straightforward generalization of the algorithm 
shown in Figure 3.17. Its worst case time complexity is exponential in the size 
of the operands as the algorithm contains integer additions of *BMDs. 

4.2.4 Boolean operations 

The Boolean functions of Bn are just a special case of the numeric functions 
of Zn- Therefore, Boolean functions can be represented as *BMDs as well. 
For that purpose, we have to translate Boolean operations into arithmetical 
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operations. This can be done in a quite easy way by using the relations 

/A 5 = f-g, 

9 = f + 9- f -9, 

and 

/' = !-/ 

for Boolean functions / and g of Bn- (For the sake of clearness, we excep- 
tionally use the symbols A and V for denoting the logical-and operator and 
the logical-or operator, respectively, and the symbols • and -i- for denoting in- 
teger multiplication and integer addition, respectively.) It is easy to check 
that the minimum sized *BMD of the logical-or of multiple variables contains 
more internal nodes than the corresponding ROBDDs [23]. Thus, *BMDs do 
not guarantee the same representation size as ROBDDs. Actually, there are 
Boolean functions in Bn which have ROBDDs of polynomial size but *BMDs 
with exponential size only [4]. 

4.2.5 Moment computation 

In *BMD based formal verification procedures, cofactor computation is not 
of interest but computation of the constant moment and linear moment of a 
pseudo-Boolean function with respect to a variable x*. Usually, the smallest 
variable of the variable order of the *BMD or the smallest variable occurring 
in the *BMD is chosen for the decomposition. 

Let F be a BMD. Let Xi be the first variable in the variable order of F. Then 
the BMDs Fj;.=o and of the constant moment 4>{F)^,^q and linear moment 
f){F)±^ of (j){F), respectively, are computed as follows: Either the root node 
rp of BMD F is not labelled with Xi or it is labelled with x*. In the first case, 
<f{F) is independent of Xj. Thus, 4>{F)^,^q = (j){P) holds and (j){F)x^ is the 
constant function 0. In the latter case, we have 6(F)^,_i- = Silowirp)) and 
= 4>{high{rF)). 

The generalization to *BMDs F with root node rp is straightforward because 
of 



1 


r ^(F) 


, if index{rp) / x* 


\ 4^i}^F ■ ^{rp,low(rp))i lowiv p^') 


, if index{rF) = Xi 


1 

= 1 


0 


, if index{rp) / Xi 


(j){u)F ■ ^ {r p ^high{r p)) 1 highi^rp)) 


, if index{rp) = Xj. 
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4.2.6 Substitution by functions 

The substitution of variables in *BMDs by pseudo-Boolean funetions plays a 
central role in the formal verification method of Hamaguchi et.al. [57], which 
will be explained in Chapter 4. 



SUBST(T,x,G) 

begin 

if TERMINAL_CASE("SUBST",T, a;, G.resuit) 
then return result 

fl; 

ifEINDJN_COMPUTED_TABLE("SUBST",T,a;,G,resMfi) 
// true iff SUBST(F,x,G) has already been computed 
then return result 

fl; 

y = smallest variable occurring in F\ 
ity ==x 

then result = ADD(Ci,^o.MUL(G,-fi)); 

else 

El = SUBST(fy=o,x,G); 

E2 = SmST(Ey,x,G); 

E3 = FIND _OR_ADD_UNIQUE_TABLE(y, 0,1); 

// returns the *BMD of the Boolean function y 
EA = M\]UE2,Ei)\ 
result = ADD(fJl,fJ4); 

fl; 

INSERT_IN_COMPUTED_TABLE("SUBST",T,a;,G,resMfi); 
return result', 

end; 



Figure 3.18. Sketch of the substitution algorithm for *BMDs. 

Let us consider the substitution of a variable Xi in the *BMD F of a pseudo- 
Boolean function / by a *BMD G of another pseudo-Boolean function g. 
According to the moment decomposition 

/ ~ fxi=0 T Xi ■ fxi 

of / with respect to Xi it is based on the formula 

ifxi=g) — fxi=0 + 9 ■ fxi- 
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A sketch of the substitution algorithm can be seen in Figure 3.18. It starts with 
the *BMD F, the *BMD G, and the variable x that is to be substituted. If the 
top variable y of F is not the variable to be substituted, the algorithm calls itself 
recursively with the low- and high-successor of the root of F. Then, the *BMD 
is reassembled . If variable x is found, an integer multiplication and an integer 
addition over *BMDs are performed according to the above equation. 

The problem of the substitution algorithm is that the algorithms ADD for inte- 
ger addition and MUL for integer multiplication have exponential worst case 
behavior when using *BMDs. However, under specific conditions which exist 
for example during multiplier verification by backward construction one can 
formally prove that the worst case will not occur [74]. We will deal with this 
fact in Chapter 4. 

4.2.7 Minimization of *BMDs 

Optimizing *BMDs has to be performed very carefully in order to avoid long 
running times. The problem is that exchanging neighboring variables in *BMDs 
does not only affect the neighboring levels under consideration [45]. Look at 
Figure 3.19 which shows two *BMDs of the pseudo-Boolean function / which 
is described by the arithmetic formula x\ — 2 ■ X 2 + 2 ■ x\ ■ X 2 (cf. [45]). The 




Figure 3. 1 9. Two *BMDs of the same pseudo-Boolean function under different variable orders. 



order of the right *BMD can be obtained by swapping both variables in the 
left *BMD only. Both *BMDs meet the normalizing rules. However, note that 
the two weights of the incoming edges of the root nodes differ. Now, imagine 
that this incoming edge is a low-edge of some internal node. Then, weights in 
upper levels have to be changed in order to restore the normalizing rules and 
maintain canonicity. 
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That is why, sifting should be applied to *BMDs without taking care on the 
normalizing rules. In a postprocessing step, the resulting *BMD is normalized 
in order to guarantee canonicity. 

It is worthwhile to mention that Bryant and Chen [22] have noticed in their ex- 
periments that *BMDs are much less sensitive to variable ordering than ROB- 
DDs. 
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Notes 

1 The symbol • denotes both, the logieal-and operator and the integer mul- 
tiplieation operator. In general, the meaning of the symbol will be elear 
from the eontext. If this is not the ease (as for example in Seetion 4.2.4) we 
exceptionally use the symbol A for denoting the logieal-and operator. 

2 The symbol -i- denotes both, the logical-or operator and the integer-addition 
operator. In general, the meaning of the symbol will be clear from the context. 
If this is not the case (as for example in Section 4.2.4) we exceptionally use 
the symbol V for denoting the logical-or operator. 
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EQUIVALENCE CHECKING 
OE COMBINATIONAL CIRCUITS 




In the second part of the book we concentrate on formal equivalence checking 
of combinational circuits. Chapter 4 reviews the straightforward approaches 
(Bryant 1986 [20], Bryant and Chen 1995 [23], Hamaguchi et.al. [57]) to 
combinational equivalence checking which consist of transforming the two 
combinational circuits under consideration into canonical forms and checking 
whether the two canonical forms are equal. Usually, ROBDDs and *BMDs are 
used in this context. Unfortunately, these approaches have some bottlenecks: 

■ most papers published in literature only handle the problem of proving that 
an error-free circuit is error-free, 

■ the representational power of ROBDDs and *BMDs is too weak to efficiently 
represent some important Boolean functions, and 

■ the memory requirements may grow exponentially during the synthesis of 
the decision diagram despite the application of efficient variable ordering 
heuristics. This can be the case even when the functional behavior of the 
Boolean network under consideration can efficiently be represented by an 
ROBDD or a *BMD. 

We review the discussion about the first point made by Wefel and Molitor [145] 
and the approach presented by Hulgaard et.al [64] and Hett [60] which attack 
the second and the third difficulty. 

Another approach to equivalence checking of combinational circuits is based 
on automatic test pattern generation (ATPG) and satisfiability of conjunctive 
normal forms (SAT). The common idea of both approaches is to transform the 
equivalence checking problem to a satisfiability problem. Chapter 5 attends to 
this SAT- and ATPG-based methods [16, 55, 86, 123]. In particular, we review 
the basic algorithms for ATPG and SAT [34, 35, 96, 97, 149]. 

Usually, the circuits which have to be compared contain a significant number 
of internal signal lines which are functionally equivalent. These structural 
similarities can be exploited in order to either simplify the miter (see Figure 5.1 
on page 100) so that the corresponding satisfiability problem becomes easier or 
partition the problem into smaller and simpler equivalence checking problems. 
Chapter 6 presents both approaches [16, 77]. They are based on an idea of 
Berman and Trevillyan [9]. 

Chapter 7 addresses a special equivalence checking problem, the problem of 
black box equivalence checking. It occurs when the specification is known, but 
only parts of the implementation are finished or known. Black box equivalence 
checking enables fhe use of verificalion fechniques in early sfages of fhe design. 
Design errors can be already delected when only a parlial implemenlalion is 
al hand by combining parls of fhe implemenlalion which are nol yel finished 
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into black boxes. The chapter has been written by the guest authors, Prof. Dr. 
Bernd Becker and Prof. Dr. Christoph Scholl, University Freiburg. It follows 
[129, 130]. 

Part II closes with the discussion of permutation independent Boolean compar- 
ison. This problem occurs in equivalence checking of combinational circuits 
since many verifiers use syntactical name matching to determine corresponding 
input variables and corresponding output variables of the circuits which have 
to be compared. This is one of the most important reasons for false negative 
results as during synthesis huge hierarchical designs lead to long hierarchical 
names for signal lines and backend tools often have severe restrictions on name 
lengths so that the names are shortened accordingly. Thus, the correspondence 
between the inputs and the outputs of the circuits under comparison has to 
be restored before calling equivalence checking methods as those presented in 
Chapters 4-6. Chapter 8 reviews the ideas presented in [105, 106, 108, 109]. 




Chapter 4 



USE OF CANONICAL DATA STRUCTURES 



The straightforward approach to solving the combinational logic-level equiva- 
lence problem is to use canonical forms. Here, the task of verifying whether two 
combinational circuits Mi and M 2 are functionally equivalent consists of con- 
structing canonical forms of the functions realized by M± and A/ 2 . However, 
traditional canonical representations such as truth tables and min term forms 
(see Chapter 3) are quite impractical. The truth table of every Boolean function 
with n arguments is of size 2"^. Many common functions applied in practice 
such as 32-bit integer addition and parity computation have no min term form of 
practical size. ROBDDs and *BMDs are often substantially more compact than 
these traditional normal forms. For this reason, ROBDDs and *BMDs are usu- 
ally used if canonical data structures have to be applied. However, since some 
Boolean functions cannot be efficiently represented by them either, we have to 
resort to other approaches for those Boolean functions. These approaches are 
going to be discussed in the subsequent chapters. 

1. Synthesizing ROBDDs and *BMDs 

In this section, we concentrate on the techniques available to create the ROBDD 
or the *BMD of the function realized by a Boolean network AA with n inputs and 
m outputs. If we handle the primary outputs independently of each other, then 
we create an ROBDD Fi for each primary output y*. We refer to this approach 
as bit-level verification. If the output variables are considered to represent 
an integer according to some encoding, then the Boolean network realizes a 
pseudo-Boolean function. Some common encodings are the unsigned binary, 
the sign-magnitude, and the two’s complement - for a formal definition of 
these encodings we refer to Section 1.2.2. This approach is called word-level 
verification. Figure 4.1a and 4.1b illustrate this differentiation. 
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Boolean network , . i , ' ■ ■ ■ f , ' ■ ■ ■ ' f, ' 

► ' I I I J I 1^1 

Af 



i I I I m ROBDDs 

yj ■" yi 

Figure 4.1a. Bit-level representation of a Boolean network M . Fj denotes the ROBDD of the 
Boolean function computed at the jth primary output yj. 



Boolean network 

Af 



Fm-l 



ri 



Encoding 



T 



encoding(y^,...,yi) 



*BMD 



Figure 4.1b. Word-level representation of a Boolean network JV. F denotes the *BMD of the 
pseudo-Boolean function / £ Zn. defined by encoding o {fy^ x ... x fy^). 



1.1 Equivalence checking at the bit level 

In the following, let us assume that the Boolean networks under consideration 
are defined over the standard cell library 

^std = {NOT, ■, ■, +, +, ©, ©} c Bi U B2- 

Let M be such a Boolean network with n binary-valued inputs and one binary- 
valued output. (Note that it is enough to consider Boolean networks with 
one primary output only since, at the bit level, the outputs of a multi-output 
Boolean network have to be handled independently of each other.) Then, the 
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ITE-operator introduced in Chapter 3 Section 3 provides the basic method for 
creating the ROBDD representation of 4>{M) G Bn- 

At first, the algorithm computes a topological sort [31] of the nodes of the 
Boolean network M. Then, it explores the nodes according to this topological 
sort. At each node v of J\f but the primary output it creates the ROBDD of 
the Boolean function which is computed at the fanout edges of v. If v is the 
ith primary input, we associate v with the ROBDD of the Boolean function 
Xi C Bn- If n is an inner node, ROBDD Fy is computed by applying the ITE 
algorithm to the ROBDD(s) of the direct predecessor(s), accordingly to the 
following case differentiation with respect to the type of node v: 

' ITE{Fyj^, 0,1) , if fype(u) =NOT 

ITE{Fy,, 

1 Bw2 1 0) , if type{v) = • 

ITE{Fn,^,ITE{Fy,^,0,l),l) , if type{v)=~ 

= < ITE{Fy,^,l,Fy,^) , if type{v) = + 

ITE{Fnj^,0,ITE{Fyj^,0,l)) , iftype{v)=T 
ITE{Fn,^,ITE{En,^,0,l),Fyj.^) , if type{v) = ® 

, ITE{Fy,, I Bw 2 1 ITE{Eyj^ 0,1)) , if type{v) = ©. 

If V is the primary output, i.e., pa{l) = v, then v has one incoming edge 
{w, v) for some node w only and Ey is set to Thus, Fpa(i) is an ROBDD 
representation of the Boolean function f(Af) realized by the Boolean network 

M- 

The procedure just described is called symbolic simulation or conventional 
symbolic simulation, in literature. 

1.2 Equivalence checking at the world level 

In verifying arithmetic circuits, we usually abstract from the bit-level repre- 
sentation of a Boolean network, where each signal is binary-valued, to a word 
level, where bundles of signals encode words of data. The basic idea has been 
illustrated in Eigure 4.1b. 

1.2.1 Hierarchical approach 

The hierarchical approach to equivalence checking of arithmetic circuits has 
been presented by Bryant and Chen [22, 23]. It is based on partitioning the 
circuits into components with easy word-level specifications. At first, it is 
shown that the bit-level implementation of a component module implements 
correctly its word-level specification. Then the composition of the word-level 
specifications which is derived accordingly to the interconnection structure of 
the circuit is verified. 

A firsf idea is fo consfrucf a *BMD for each of fhe bif-level oufpufs of fhe 
componenfs, much as would be done wifh ROBDDs. An implemenfafion of 
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the binary Boolean operations applied to *BMDs has been given in Chapter 3 
Section 4.2. 

For illustration, look at a circuit which should represent a full-adder with three 
inputs x\, X2, and x^ and two outputs s and c denoting the sum- and the carry- 
output, respectively. Component verification first computes the *BMD of the 
binary- valued output s and the *BMD of the binary-valued output c. In case 
the circuit under consideration actually realizes a full-adder, the *BMDs of the 
Boolean functions computed at the signal lines s and c represent the Boolean 
functions 

sum{xi,X2, xs) = xi (B X2 (B X 3 

and 



carry (xi, X2, xs) = (xi A X2) V ((xi © X2) A X3), 

respectively. (For the sake of clearness, once again we exceptionally use the 
symbols A and V for denoting the logical-and operator and the logical-or op- 
erator, respectively. The symbols • and + denote integer multiplication and 
addition, respectively, in the following considerations.) Applying the equa- 
tions 



a Ab 
aV h 

and 

a © 6 



a • b, 

a + b — a • b, 



(a A b') V {a' A b) 

(a-(l-6))V((l-a)-6) 

{a — a ■ b) V {b — a ■ b) 

{a — a ■ b) + {b — a ■ b) — {a — a ■ b) ■ {b — a ■ b) 
a + b — 2-a-b — {a-b — a-b — a-b + a-b) 
a + b — 2 ■ a ■ b 



which hold for all a,b C {0, 1}, the corresponding pseudo-Boolean functions 
can be given by 



sum(xi,X 2 , X3) 



Xl © X2 © X3 

(xi + X2 - 2 • Xl • X2) © X3 
(xi + X2 - 2 • Xl • X2) + X3 

- 2 • (xi + X2 - 2 • Xl • X2) • X3 

a:i + X2 + X3 — 2 • Xl • X2 — 2 • Xl • X3 

- 2 • X2 • X3 + 4 • Xl • X2 • X3 
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and 



carry{xi,X2,X3) = xi ■ X2 + xi ■ x^ + X2 ■ X3 - 2 ■ xi ■ X2 ■ x^. 

The two *BMDs are shown in Figure 4.2a and Figure 4.2b. 




Figure 4.2a. *BMDs of the binary-valued output representing the sum-output s of a full-adder. 




Figure 4.2b. *BMDs of the binary- valued output representing the carry-output c of a full-adder. 



Now, the word-level representation of the eomponents under eonsideration is 
obtained by simply generating the *BMD of s + 2 • c using integer multipli- 
eation and integer addition of *BMDs. Thus, we have transformed the bit- 
level representation of the eomponents in a word-level representation of the 
eircuit. Finally, the eomponent verifieation is completed by comparing this 
word-level representation with the *BMD of the specification, which is the 
pseudo-Boolean function realized by a full-adder (see Figure 4.3). 

For larger circuits, representing the bit-level functionality becomes too cumber- 
some and hence the method for component verification described above cannot 
be applied directly. For example, attempting to construct the bit-level func- 
tions of an integer multiplier (in particular the bit-level function realized by the 
middle bit of the multiplier) would cause an exponential blow-up with *BMDs 
[4, 29]. (Remember that the *BMD of the word- level representation of integer 
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Figure 4.3. Word-level representation of a full-adder. 



multiplication (see Figure 3.14b on page 56) has linear size.) Instead, Bryant 
and Chen follow a hierarchical approach in which the overall circuit is divided 
into components, each having a simple word-level specification. After the veri- 
fication of the components the designer has to prove that the composition of the 
word-level component functions matches the specification. Mainly, the *BMD 
of an algebraic expression representing the composition is generated. 

Bryant and Chen [23] experimentally proved that integer multipliers based on 
the add-step principle can be verified up fo a bif widfh of 64 by using fhis 
approach. The n-bif infeger mulfiplier which has been considered by fhem 
mainly consisfs of n — 1 carry-ripple adders. Assume fhaf fhe 2n primary inpuf 
signal lines which represenf fhe fwo operands are called oq, oi, . . . , a„_i and 
bo,bi, . . . , bn-i, respecfively. Then fhe ifh adder has as inpuf fhe multiplicand 
word A, which is given by *BMD of such an unsigned encoding 

is shown in Figure 4.4a), fhe ifh bif bi of fhe mulfiplier, and a parfial sum inpuf 
word Pli. If generafes a parfial sum word POi where fhe funcfionalify is 
specified as 

POi = Ph + {bi • 2') • A. 

Affer having complefed fhe componenf verificafion of fhe adders, fhe word- level 
specificalions of fhe adders can be combined accordingly fo fhe inferconnecfion 
sfrucfure of fhe circuif. In fhis case fhis is an easy fask since fhe encoding 
funclion for an adder inpuf mafches fhe oufpuf encoding of fhe preceding adder. 
The resulting algebraic expression is given by 

0 + (6o • 2° • A) + . . . + (6i • 2' • A) + . . . + (6„_i • • A) 

for which a *BMD is generated. Because of fhe canonicify of *BMDs, fhis 
*BMD has fo be fhe *BMD of fhe mulfiplicafion function (if fhe implemenfafion 
of fhe mulfiplier under considerafion indeed is error-free). 
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There are some problems arising when using this methodology. The first one is 
the need of high-level speeifications of eomponent modules. The designer has 
to exereise great eare in hierarchieally speeifying the eircuits in order to make 
the design suitable for hierarchical specification. Another problem is that once 
having changed from the bit-level to the word-level no information about the 
exact ordering of connections at module boundaries is accessible any longer. 
Bryant and Chen simply require that the encoding function for a component 
input has to match the output encoding of the component supplying that input 
[22]. However, there is no check whether this requirement is met. 

1.2.2 Backward construction method 

Taking the problems of the hierarchical approach into account, Hamaguchi 
et.al. [57] have proposed another *BMD based method for verifying arith- 
metic circuits which they called verification by backward construction. This 
method does not need any high-level information and it avoids the necessity 
of first computing a *BMD of each binary-valued output of the circuit under 
consideration. 

As illustrated in Figure 4.1b, the primary outputs of a circuit are regarded as a 
word rather than a set of separate bits. In the case of arithmetic circuits, they 
are usually considered to represent an integer according to the unsigned binary, 
i.e., 

m 

encoding{ym , . . . , yi) = ^ y* • 2*“^ 

i=l 

the sign-magnitude, i.e., 

m— 1 

encoding {y m, . ■ • ,yi) = (-1)^’" ' Vi ' 

i=l 

or the two’s complement encoding, 

( m— 1 

^ Vi ■ 2 *“^ 
i=i 

The *BMD which represents their interpretation as pseudo-Boolean function 
is constructed in the initialization step of the backward construction method. 
The *BMDs of the commonly used encodings are shown in Figure 4.4a-4.4c 
[23]. 

Now, the basic idea of the backward construction method is to put a cut across 
all primary outputs of the circuit. The cut is moved step by step towards the 
primary inputs according to any reverse topological sort [31] of the cells. After 
having moved a cell into the area between the cut and the primary outputs, the 
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Figure 4.4a. *BMD of the unsigned bi- Figure 4.4b. *BMD of the sign- 

nary encoding for m=4. magnitude encoding for m=4. 




Figure 4.4c. *BMD of the two’s complement encoding for m=4 



*BMD of the subcircuit between the cut and the primary outputs is computed. 
Note that the *BMD of the word-level interpretation of the primary outputs 
corresponds to the cut which crosses all the primary outputs of the circuit. This 
*BMD is updated by substituting the outputs of the cell, that is moved, by 
the function realized by the cell. Here, the substitution algorithm presented 
in Chapter 3 Section 4.2 is used. Thus, after each iteration the *BMD only 
depends on the signals which are crossed by the cut. The algorithm stops if 
the cut crosses primary inputs only. It returns the *BMD belonging to this cut 
which obviously is the *BMD of the circuit under consideration. 
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Let us illustrate the approach of Hamaguchi et.al. by applying it to Wallace-tree 
like multiplier circuits [142]. Let a = Un-i . . . oq and b = bn-i .. .bo be. two 
n-bit numbers in unsigned binary representation. The multiplication of a and b 
is equivalent to summing up the n partial products (of length 2n) corresponding 
to the rows of the partial product matrix P: 



/ 0 0 
0 0 



P = 



0 0 ttn-ibo ... aibo aobo \ 

0 ttn-ibi an-2bi ■ . . aobi 0 



y 0 a.n—lbn—1 



aobn-i 0 ... 0 y 



A Wallace-tree like multiplier reduces the n partial products to two 2n-bit 
integers s and c such that 

n—1 n—1 

i=0 j=0 

The reduction uses full-adders only, for example carry-save adders [116]. The 
depth of a Wallace-tree like multiplier depends on the arrangement of the full- 
adders. Ideally, it is O(logn). 

In the first step of the backward construction method, we have to encode the 
primary outputs of the Wallace-tree like multiplier. As the primary outputs 
represent two 2n-bit integers which have to be added in order to finish the 
multiplication of the operands a and b, we generate the *BMD of the pseudo- 
Boolean function 

2n— 1 2n— 1 

Si • 2* + Ci • 2L 

i=0 2=0 

This *BMD has a specific sfructure which is called Sum of weighted variables 
(SOV) in [74]: In a *BMD in SOV, no two internal nodes are labelled with 
the same variable. Thus, there are at most as many internal nodes as variables. 
The high-edge of each internal node points to a terminal node. All low-edges 
but the low-edge of the last variable point to internal nodes and the low-edge 
of the last variable points to a terminal node. Thus, a *BMD over in SOV 
represents a pseudo-Boolean function / of the form 

n 

f{xi, . . . ,Xn) = Wo + '^Wi ■ Xi 
i=l 




80 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



where wq, ... ,Wn are integer values. Wi is called weight of variable Xi. 

Let us return to the verification of our multiplier and let Fyl be a full-adder 
whose outputs are crossed by the cut. Let x* and Xj be the sum- and carry-output 
ofF A and Xk,xi, and Xm the inputs of FA. It can be shown that the weight of the 
carry-output Xj is twice the weight of the sum-output Xj. The current BMD in 
SOV does not depend on Xk, xi, or Xm- Now, we have to replace the variables x* 
and Xj by the *BMDs of the functions sum{xk,xi,Xm) and carry{xk, xi,Xm), 
respectively (see Figure 4.5a) These replacements have to be executed one after 




Figure 4.5a. Replacing the outputs of a full-adder by the corresponding *BMDs. 



the other. Figure 4.5b shows the *BMD after substitution of Xj by the *BMD 
of sum{xk,xi,Xm)- In this *BMD, Xj is replaced by carry(xA:, xz, Xm)- It 
is easy to see that the resulting *BMD is in SOV again, and that the variables 
Xk, xi, and Xm have the same weight. Thus, the considerations just made can 
be repeated until all the full-adders have been moved to the other side of the 
cut. After the substitution of the partial product bits, we obtain the *BMD of 
the partial integer multiplication function. This provides that the circuit under 
verification is actually a Wallace-tree like multiplier. 
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Figure 4.5b. 



*BMD after substitution of Xi by the *BMD of sum{xk,xi,Xm). 



A detailed analysis of the complexity of backward construction applied to 
Wallace-tree like multipliers can be found in [74]. Hamaguchi et.al. [57] exper- 
imentally proved that 256-bit Wallace-tree integer multipliers can be verified 
using this approach. 

2. Problems arising when using one of these methodologies 

The approaches to equivalence checking just presented have three major bot- 
tlenecks. 

At first, some functions cannot be efficiently represented by ROBDDs or *BMDs. 
Bryant [20] proved that the ROBDDs for integer multipliers are of exponential 
size. The representational power of *BMDs is too weak to efficiently repre- 
sent integer division [131]. For Boolean networks realizing such functions, 
equivalence checking which is solely based on canonical forms fails due to the 
exponential blow-up of the size of the data structures. In practice, once the 
size of the data structures exceeds a given boundary during a run, the algorithm 
is stopped and one has to switch to other approaches in order to decide the 
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equivalence of the two Boolean networks under comparison. Such approaches 
are proposed in the following chapters. 

Another problem is the following. Even if the functional behavior of a Boolean 
network can efficiently be represented by an ROBDD or a *BMD, the memory 
requirements may grow up exponentially during the synthesis of the decision 
diagram despite the application of efficient variable ordering heuristics. To 
overcome this difficulty, either one has to switch to other approaches as those 
presented in Chapter 5 or one has to use other data structures in between. 
Hett [60] and Hulgaard et.al. [64] introduce a new data structure suitable for 
the concern under consideration, binary expression diagrams (BED). Their 
approach is discussed in Section 2.1, which partly follows the thesis of Hett 
[60]. 

Einally, most of the papers published in literature handle the problem of proving 
that an error-free Boolean Network is error-free. Eor example, Bryant/Chen 
[23] and Hamaguchi et.al. [57] experimentally showed that error-free integer 
multipliers of several types (up to a bit width of 256) can be verified to be error- 
free in some hours using the hierarchical approach or the backward construction 
method. But there is no evidence that a faulty 256-bit integer multiplier can 
efficiently be proven to be faulty. This problem which has been discussed in 
[145] for the first time will be addressed in Section 2.2. 

2.1 Avoiding intermediate size peaks 

In order to verify that two Boolean networks A/i and A /2 with n inputs and one 
output are equivalent, the classical approach described above constructs either 
the ROBDDs of i;/>(A/i) and <p{f/ 2 ) or the ROBDD of (f){f/i) 0(A/2). Due 

to the canonicity of ROBDDs, the two Boolean networks implement the same 
Boolean function if and only if the ROBDDs of </>(A/i) and </>(A/ 2 ) are equal or 
the ROBDD of ((/>(A/i) 4>{J^2)) is identical to the ROBDD which consists 

of terminal node 1 only. In general, the procedure first computes the ROBDDs 
of 4>{Mi) and 4 >{M 2 ) which are combined as © f{N 2 ))'. 

Eor illustration, look at the following example which we have taken from [60]. 
Eet gi, g 2 , and g^ be three Boolean functions of Bn which do not depend on 
the variables x\ and X 2 - Eurthermore, let us assume, that for all i, j G {1,2, 3} 
with f / j the ROBDD of gi • gj is quadratic in the size of the ROBDDs of gi 
and gj. In order to synthesize the ROBDD F of 

(xi • gi) ■ {x 2 ■ 52 ) • {{xi © X 2 ) ■ gs) 
the classical approach first computes the ROBDD of either 

(Xl • pi) • {X 2 ■ 52), 

(xi ■ gi) ■ ((xi ©X 2 ) - 53 ), 
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or 

{X2 -92) ■ {{Xi ©X 2 ) ■ 93)- 

Thus, the algorithm takes at least quadratic time before returning the terminal 
node 0 which is the final result F. If the ROBDDs of 91, 92, and Q3 are quite 
large, the consequence is a blow-up of the ROBDDs during the synthesis of the 
ROBDD F such that the algorithm aborts without success. 

In order to possibly overcome such a blow-up of the size of the data structures, 
it would be helpful to have a generalization of BDDs which allows rearranging 
Boolean formulae. In the above example, a convenient rearrangement results 
in a quick transformation of the Boolean formulae to 0: 

(Xl • 51) • (X2 • 92) ■ {{Xl © X2) ■ 93) 

= [xi ■ X2 ■ [xi © X2)) ■ (91 ■ 92 • 93) 

= 0- {91- 92- 93) 

= 0 . 

In some sense, binary expression diagrams allow such rearrangements. They 
have a similar structure as BDDs (see Definition 3.6 on page 3 1) and are defined 
as follows. 

Definition 4.1 (binary expression diagrams) Let Xn be the set of 
variables {x \, . . . , Xn} and Q := {© 1 , . . . , ©p} a set of binary Boolean oper- 
ators. A binary expression diagram over {Xn, O) ^ directed acyclic graph 
G = {V, E, label, value) with node set V containing two types of nodes, in- 
ternal and terminal nodes. A terminal node v is labelled with value{v) which 
is either 0 or 1. An internal node v has as label either a variable Xi G Xn 
or a binary Boolean operator Qj G O. f-G, label{v) G Xn U 0> ‘^’^d two 
children low{v) and high{v). An internal node v is called operator node if 
label{v) G O- called variable node iflabel{v) G Xn. 

The relation between a binary expression diagram and the Boolean function it 
represents is straightforward. 

Definition 4.2 (interpretation of binary expression diagrams) 
Let G = {V, E, label, value) be a binary expression diagram over {Xn, Q) 
and V a node ofV. The Boolean function 4>{v) G Bn which is computed at 
node V is recursively defined as follows: 

■ Ifv is a terminal node and vaiue{v) = 1, then 4>{v) = 1. 

■ Ifv is a terminal node and vaiue{v) = 0, then 4>{v) = 0. 

■ Ifvis an internal node and label{v) = Xi, then 

4>{v) = {xi ■ fi{low{v))) + {xi ■ fi{high{v))) 
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where ■ and + denote the logical-and operator and the logical-or operator, 
respectively. 

■ Ifv is an internal node and label{v) = Qj, then 
4>{v) = 4>{low{v)) Qj 4’{high{v)). 



In the following we only eonsider reduced ordered binary expression diagrams 
with complemented edges (cf. Chapter 3 Section 3.3) over O) which we 
call BED in short. A BED is ordered if on all paths through the graph each 
variable occurs at most once and the variables respect a given total order. It is 
reduced, if neither the deletion rule nor the merging rule introduced for BDDs 
can be applied to a variable node, the operands of an operator node v are not the 
same nodes, i.e., low{v) / high{v), and none of both operands of a operator 
node is a terminal node. Here we assume that Q = {•,",+,+,©,©}■ If 
low{v) = high{v) holds for an operator node v with label{v) = Qj, it is easy 
to see that 






' 0 
1 

4>{low{v)) 

_ (t){low{v))' 



if Qj — © 
if Qj = © 

if Qj G {+, •} 
if Qj G {+, •} 



If the low-successor (or the high-successor) of the operator node is a terminal 
node then the BED can be reduced as follows 



0 


, if low{v) 


= 0 and Qj = • 


1 


, if low{v) 


= 0 and Qj = “ 


4>{high{v)) 

4){high{v))' 


, if low{v) 


= 0 and Qj G {H~; ©} 


, if low{v) 


= 0 and Qj G ©} 


0 


, if low{v) 


= 1 and Qj G {H~} 


1 


, if low{v) 


= 1 and Qj G {H~} 


4>{high{v)) 

(j){high{v))' 


, if low{v) 


= 1 and Qj G {*,©} 


, if low{v) 


= 1 and Qj G {”,©}• 



BEDs are an extension of ROBDDs with complemented edges. They are capa- 
ble of representing any Boolean network with n inputs and one output in linear 
space and partly contain the structural composition of the Boolean network. 
The rearrangement of operators is performed by shifting operator nodes in the 
BED which is a local operation. Eor example, moving variable nodes above 
operator nodes can be done in a very efficient way as cofactor computation 
commutes with each of the binary Boolean operators. Eook at Eigure 4.6. It is 
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Figure 4.6. Shifting an operator node [60]. G, H, 1, and J are sub-BEDs. 



easy to see that 

(J){v) = {{x/ ■ G) + {xj ■ H)) Q {{x/ ■ I) + {xj ■ J)) 

= {x/ ■ (((x/ • G) + {Xj ■ H)) © {{x/ ■ I) + {Xj ■ J)))^.=o) 
+{xj ■ (((x/ • G) + {Xj ■H))Q {{x/ ■ I) + {Xj ■ J)))^_i) 

= (x/.(((l.G) + (O-F))0((l./) + (O.J)))) 
+(x,-(((O-G) + (l-//))0((O-/) + (l- J)))) 

= {xj ■ {{G + 0 ) © (/ + 0 ))) + {xj ■ ((0 + H) © (0 + J))) 

= (x/-(G©/)) + (xj-(F© J)). 

Now, look at our example from above where we tried to synthesize the ROBDD 
Fof 



(xi • gi) ■ (x2 • 92 ) ■ {{xi © X2) • 93). 

Let us assume that the ROBDDs Gi, G2, and G 3 of gi, 92, and 93, respectively, 
are given. A BED which corresponds to this Boolean formula is shown in Fig- 
ure 4.7a. Let us move the operator nodes towards the terminal nodes. Moving 
operator node vi across the successor node labelled with xi (remember that we 
have assumed that gi, 92, and 93 do not depend on neither xi nor X 2 ) results in 
the BED of Figure 4.7b. Applying the BED specific reduction rules results in 
the BED shown in Figure 4.7c. Analogously, operator node V2 can be moved 
downwards which is illustrated in Figure 4.7d. In the next step, the operator 
nodes V3 and X 4 can be moved below variable xi. The BED which we obtain 
after performing these two operator shifts is shown in Figure 4.7e. 

The BEDs shown in Figure 4.7f, Figure 4.7g, and Figure 4.7h show the further 
process. Moving the upper operator node towards the terminal nodes results 
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Figure 4.7a. BED of {xi ■ g\) ■ [xi ■ 52 ) • ((a;i © xC) ■ ga). For the sake of clarity, the merging 
rule has not been applied throughout the diagram. 




Figure 4. 7b. BED after moving operator node vi across the successor node labelled with Xi. 



into the *BMD shown in Figure 4 . 7 h. This shows that BEDs allow to compute 
the BED of the Boolean formulae 

[xi ■ gi) ■ {x2 ■ 92) ■ ((ail © X2) ■ 93) 

without exploring the ROBDD of gi, 92, or 93. 

The BED based verification procedure is quite simple. Given two Boolean 
networks Mi and M2 over BiU B2 with n inputs and one output, we construct 
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Figure 4. 7c. Applying the BED specific reduction rules. 




Figure 4.7d. Moving operator node V 2 downwards. 



the BEDs B\ and B2 of J\f\ and A/2, respectively, and combine them as B\ © B2 
by means of an operator node. Then, we convert this BED to a ROBDD 
by repeatedly moving operator nodes towards the terminal nodes. Operator 
nodes which point to terminal nodes are eliminated by the requirements of 
reduction. The worst time complexity of this transformation procedure can be 
exponential in the size of the BED as there are efficient BEDs representing 
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Figure 4.7 e. Moving the operator nodes vz and va towards the terminal nodes. 




Figure 4. 7f. 



integer multiplication. However, in many cases BEDs are a suitable tool which 
helps avoiding intermediate size peaks during the synthesis of ROBDDs. 

2.2 How to prove a faulty circuit to be faulty? 

Now, let us come to the third problem of combinational equivalence check- 
ing based on canonical forms. Note that the investigations presented in the 
above sections deal with error-free implementations only. For example, the ap- 
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Figure 4. 7g. 




Figure 4. 7h. 



proaches of Bryant/Chen [23] and Hamaguchi et.al. [57] show by experiments 
that an error-free integer multiplier can be efficiently proven to be error-free. 
There is no evidence that a faulty integer multiplier can be proven to be faulty 
in polynomial time when using one of the approaches presented above. 

In this chapter, we concentrate on the problem of how to formally prove that 
a faulty multiplier implementation is faulty. At a first glance, the answer of 
this question appears to be quite simple. Just build the *BMD of the pseudo- 
Boolean function realized by the circuit under consideration by applying the 
backward construction method and compare it to the *BMD of n-bit integer 
multiplication. Of course, if the circuit does not implement integer multipli- 
cation, the comparison fails. However, this drafted procedure only works if 
the *BMD of the pseudo-Boolean function realized by the faulty circuit can 
be synthesized in reasonable time. Up to now, we only know that the *BMDs 
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occurring during backward construction of an error-free (Wallace-tree like) in- 
teger multiplier circuit have practicable sizes. It is quite possible that the size 
of the *BMDs exponentially increases during backward construction if some 
design error is inserted in the multiplier design. But, if the backward construc- 
tion does not stop after a short time, how can we decide that the process can be 
aborted? After what time can we be sure that the circuit under consideration is 
faulty, i.e., does not realize integer multiplication? 

We are going to show that these questions are relevant in practice. We prove 
that the backward construction method can only be applied as filter during 
formal logic verification unless sharp polynomial upper bounds for the sizes 
of the *BMDs occurring during backward construction of an error-free circuit 
of a particular type have been proven. Keim et.al. did it for Wallace-tree like 
integer multipliers [74]. 

To simplify matters, we consider a very simple multiplier implementation. It has 
the basic structure which is shown in Figure 4.8. The various partial products 
are computed in the MuZt-components and are directly added to the subtotal in 
the next AJJ-component. Each Mu/t-component consists of AND-gates only. 
For the AJJ-components, various types of adders can be used. 




Op(b) <l...n> 



Figure 4.8. n-bit integer multiplier 



We investigate the sizes of the *BMDs occurring during backward construc- 
tion of an error-free implementation and various faulty implementations of our 
multiplier type. To obtain experimental data, let us construct by backward 
construction the *BMDs of these hardware implementations. In order to get 
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comparable results, we are going to use the same breadth first search strategy 
to determine the order in which the substitutions are applied every time. 

2.2.1 Error-free multiplier 

Because of canonicity, the *BMD of the pseudo-Boolean function realized by 
an error-free n-bit integer multiplication hardware is isomorphic to the *BMD 
shown in Figure 3.14b on page 56. It contains 2 • n inner nodes only. However, 
some *BMDs occurring during the backward construction of such an error- free 
multiplier are more complex. In particular, additional temporary variables have 
to be inserted in order to represent the subtotals of the multiplication and the 
various partial products. Figure 4.9 shows the sizes of the *BMDs occurring 
during the backward construction of an error-free 10-bit integer multiplier^. 
The data on the y-axis show the sizes of the intermediate *BMDs occurring 
during the corresponding substitution steps. As already described, the back- 



vertex count during backward construction (error free, 10x10) 




step 

Figure 4.9. Backward construction of an error-free 10-bit multiplier 

ward construction method applied to the n-bit integer multiplier starts with the 
*BMD of the output word which consists of the output variables y 2 n-i, ■ ■ ■ ,Vo- 
Thus, in the case of a 10-bit multiplier the initial *BMD has size 20. During 
the first substitution steps the upper 10 output variables (see Figure 4.8) are 
substituted with respect to the function which is realized by the back adder 
block. Temporary variables for representing the subtotal of the multiplication 
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and the partial product which are operands of this back adder block have to be 
inserted. This results in a linear growth of the *BMDs (see Figure 4.9, step 0 to 
step 50). Substituting the output variables of the back multiplier block (step 50 
to step 80) results in *BMDs with about 30 inner nodes. The resulting *BMDs 
after these steps only depend on output variables which have to be substituted 
later on, variables for representation of the subtotal, and some input variables. 
By having a close look at Figure 4.9 it is easy to recognize the various levels of 
our multiplier. During the substitutions due to an adder block the sizes of the 
*BMDs are approximately 45. After the substitutions due to a multiplier block 
the sizes of the *BMDs drop back to 30. 

The experiments conducted for different bit widths show that the size of the 
*BMDs occurring during backward construction of our error-free n-bit integer 
multiplier are bounded by 6 • n. 

2.2.2 Faulty multipliers: cell faults 

Now, let us investigate the effect of cell faults on the size of the *BMDs occurring 
during backward construction. Figure 4.10 shows the behavior of the *BMDs 
after replacement of all AND-gates by EXOR-gates in the multiplier blocks of 
a 10-bit multiplier. The number of inner nodes of the final *BMD is 3 • n — 1. 



vertex count during backward construction (cell transformation fault, 10x10) 




Figure 4.10. Backward construction of a faulty 10-bit multiplier (cell fault) 



The sizes of the *BMDs occurring during backward construction also seem to 
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be linear in the operand size. Thus, the *BMD of such a faulty multiplier can 
be constructed by backward construction even for large operands. 

All the experiments pointed out that cell faults in our multiplier seem to be 
good-natured. 

2.2.3 Faulty multipliers: wiring faults 

The situation is rather precarious when the multiplier implementation contains a 
routing design error. Let us investigate two different wiring faults, a hierarchical 
fault which occurs in every level of the multiplier and a local fault where one 
connection is wrongly wired only. 



► 

Op(a) 






Op(b) <l...n> 



► 

Res 

<1...2n> 



Figure 4.11. Local wiring fault 

Hierarchical wiring fault. The first wiring fault which we investigate is a 
faulty routing between the outputs of the adder blocks which represent subtotals 
of the multiplication and the inputs of the next adder blocks. In particular, we 
shift (more exactly: we rotate) the subtotal by one position (see Figure 4.11 
for illustration). Figure 4.12 shows the sizes of the *BMDs occurring during 
backward construction of such a faulty 6-bit multiplier implementation. The 
final size of fhe *BMD of fhe pseudo-Boolean function realized by fhis faulty 
6-bif mulfiplier is sfill relafively small. If consisfs of 130 inner nodes. However, 
fhe *BMDs occurring during backward consfrucfion are very large, namely up 
fo abouf 49.000 inner nodes. Due fo memory resfricfions, mulfipliers for larger 
operands cannof be considered. 

Local wiring fault. The second wiring faull which we invesfigafe is a faully 
handling of fhe connecfion befween fhe back adder block and fhe nexf fo fhe 
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vertex count during backward construction (hierarchical wiring fault, 6x6) 




Figure 4.12. Backward construction of a faulty 6-bit multiplier (hierarchical wiring fault) 




Op(b) <1 ...n> 



Figure 4.13. Local wiring fault 



back adder block. Once again, we ’rotate’ the subtotal. The fault is sketched in 
Figure 4.13. Figure 4.14 shows the behavior of the *BMDs for this case. The 
final *BMD size forn = 7 is 412. During the backward construction, *BMDs 
whose sizes are up to 125.000 nodes occur. 
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vertex count during backward construction (locai wiring fault, 7x7) 




Figure 4.14. Backward construction of a faulty 7-bit multiplier (local wiring fault) 



2.2.4 Conclusions 

The considerations just made show that very simple faults can dramatically 
change the behavior of the backward construction method of Hamaguchi et 
al. Simple faults can result in very large *BMDs during backward construc- 
tion although backward construction applied to an error-free implementation 
uses *BMDs of moderate sizes only. Consequently, the backward construc- 
tion method can only be used as formal verification tool if polynomial upper 
bounds for the sizes of the *BMDs occurring during the backward construction 
applied to an error-free circuit of a particular type have been proven. Once 
the size of a *BMD exceeds this upper bound, we can conclude that the circuit 
under consideration does not belong to this particular circuit type. If such upper 
bounds have not been proven, the backward construction method can only be 
used as filter during formal logic verification. Only, if the method stops after a 
reasonable time, we have proven equivalence or non-equivalence. Otherwise, 
we do not know anything. The circuit under consideration may be error-free or 
faulty. 

Note that asymptotic upper bounds are not of much help. Rather we need upper 
bounds with exact ’’constants”. This approach was carried out for Wallace-tree 
like multipliers by Keim et. al. [74]. Here the constants needed can easily be 
pulled out of the constructive proof of the main theorem of the paper which 
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states that any n-bit Wallace-Tree like multiplier can be verified by backward 
construction in time O(n^) and space 0{v?). 

If such upper bounds are not known, we have to resort to other approaches. We 
are going to discuss the most important ones in the subsequent chapters. 
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Notes 

1 We used the *BMD-paekage of Chen which has already been used in [23] . In 
order to make it applicable for our purposes, we extended the *BMD package 
by the substitution function which has been presented in Chapter 3 Section 
4.2 and by a counter which allows to record the size of the *BMDs during a 
substitution step. All tests were executed on a PC with 256 Megabyte main 
memory without additional swap memory. 




Chapter 5 

SAT AND ATPG BASED EQUIVALENCE CHECKING 



Another approach to equivalence checking of combinational circuits is based 
on automatic test pattern generation (ATPG) and satisfiability of conjunctive 
normal forms (SAT). The common idea of both approaches is to transform the 
equivalence checking problem to a satisfiability problem. To realize this idea, 
an "exclusive-or" is applied to the two Boolean networks F and G which are to 
be compared. Figure 5.1 illustrates how to proceed. The term miter is used to 
refer to the configuration shown (cf. [16]). Thus, two Boolean networks F and 
G are functionally equivalent if and only if there is no assignment to the inputs 
of the miter of F and G such that the miter evaluates to 1. Thus, the following 
three statements are equivalent: 

■ F and G are not functionally equivalent; 

■ The miter of F and G is satisfiable, i.e., there is an assignment to the inputs 
of the miter of F and G such that the output evaluates to 1 ; 

■ The output of the miter of F and G is testable for stuck-at-0 (see [1]). 

Of course, the BDD (or *BMD) based approach proposed in Chapter 4 can be 
used for checking whether the miter is satisfiable as well. Just construct the 
ROBDD of the miter of F and G. The miter is satisfiable if and only if its 
decision diagram does not only consist of terminal node 0. This test can be 
done in constant time. However, the memory requirements for constructing the 
ROBDD of the miter may be too large and other approaches have to be applied. 
In this chapter we discuss approaches to combinational equivalence checking 
which apply traditional SAT algorithms and ATPG. In particular, we review the 
basic algorithms for automatic test pattern generation of combinational circuits 
and the satisfiability problem applied to conjunctive normal forms. 
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Figure 5.1. A miter. 



1. SAT based equivalence checking 

For applying SAT algorithms to the equivalence checking problem, the miter 
under consideration has to be transformed into a conjunctive normal form which 
characterizes the set of consistent assignments to the signal lines of the miter. 
Then, SAT algorithms are applied to this conjunctive normal form. 

Conjunctive normal forms are particular Boolean formulae over Xn (cf. Defi- 
nition 3.4). 

Definition 5.1 (clause) A disjunction of literals, where a literal is the 
occurrence of a variable Xi or its complement xf, is called clause. 

In the following, we assume that a clause c does not contain both, literal L and 
literal L' and that the literals in a clause are unique. So we can treat clauses as 
sets of literals. With | c| , we are going to denote the number of literals contained 
in clause c. The empty set 0 is called empty clause which is a description of 
the constant Boolean function 0. 

Definition 5.2 (conjunctive normal form) A conjunction of clauses 
is called conjunctive normal form. 

Analogously to clauses, conjunctive normal forms can be treated as sets of 
clauses. Thus, \x\ denotes the number of clauses of the conjunctive normal 
form X- The empty set 0 is called empty conjunctive normal form and describes 
the constant Boolean function 1. 

Despite the satisfiability problem applied to conjunctive normal forms being 
an NP-complete decision problem [53], SAT algorithms have seen dramatic 
improvements in recent years. 
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1.1 Generating a conjunctive normal form 

As mentioned above, the miter J\f is transformed into a conjunctive normal 
form first [86]. For this purpose every edge of the Boolean network J\f has an 
associated variable. For illustration, please see Figure 5.2 which we have taken 
from [83]. 




Figure 5.2. Example of a miter [83]. 



Each node of M is tagged with a conjunctive normal form that represents the 
function performed by the appropriate gate. We assume that the node v under 
consideration has two inputs x\ and X2 and one output z, i.e., type{v) G B2 
(cf. Definition 3.3). Then an assignment of the node v is called consistent if 
and only if it satisfies fhe formula 

2 ; = type{v){xi,X2). 

This formula is logically equivalenf fo 

{z type{v) {xi,X2)) ■ {type{v){xi, X2) z) 

and 

{z' + type{y){xi,X2)) ■ {type{v){xi,X2)' + z). 

If is rafher easy fo fransform such a formula info a conjuncfive normal form for 
a parficular node v of fhe Boolean nefwork. For example, if v represenfs an 
AND-gafe, i.e., type{v) = •, fhen fhe Boolean formula fagged fo v is given by 

{z' + (xi • X2)) ■ {{xi ■ X2)' + z) 

which is logically equivalenf fo 

{z' + Xl) • {z' + X2) ■ {z + Xl + X2). 

This formula sfafes fhaf whenever oufpuf 2 ; is 1, fhen fhe inpufs xi and X2 
also have fo be 1 as well; ofherwise fhe firsf fwo clauses are nol satisfied. 
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Because of the third clause, input x\ or input X 2 has to be 0 if z is 0. Table 
5.1 [86] summarizes the conjunctive normal forms of some other basic gates. 
It is straightforward to generalize these Boolean formulae to multi-input basic 



typeiv) 


conjunctive normal form 




(2' + Xl) 


• (2' + X2] 


\ ■ G + xi -\- X2) 


-f 


(z + Xl) 


• (2 + X2'] 


\ ■ G' + Xl + X2) 




(2 + Xl) • 


(2 + X2) • 


(2' + Xl' + X2) 


+ 


(2' + Xl') 


)•(-*'+ X 2 


') ■ G + Xl + X2) 


© 


(2' + Xl - 


f X2) • (2' 


+ Xl' + X2') • (2 + Xl' + X2) ■ G + X 1 + X2) 


NOT 


(2' + Xl') 


) • (2 + *1) 


\ 



Table 5. 1. Conjunctive normal forms of basic gates 



gates. For example, the consistent assignments of an n-input AND-gate z = 
AND{xi, . . . , Xn) are characterized by 

n n 

+ Xi) ■ (z + 
i=l i=l 

where ^ denote the iterative logical-and operator and the iterative 

logical-or operator, respectively. 

Since each node is tagged with a Boolean formula which has to be independently 
satisfied, we can extract a characteristic formula x(-^) for any circuit Af by 
taking the conjunction of all of the formulas of nodes in Af. The resulting 
conjunctive normal form describes the set of the consistent assignments to the 
signals of Af, i.e., an assignment which is consistent for every node in Af. For 
example, the characteristic formula x(AA) of the Boolean Network Af shown 
in Figure 5.2 is 

x(AA) = (d + 6) • (d' + c) • (d + 6 + c^) 

• (e' + a') • (e + a) 

• (f' + b)-(f' + c)-(f + b' + c') 

■ iff' + f') ■ (g + f) 

■ {h' + e) • {h' + g) ■ {h + e' + g') 

■ {i + a') ■ {i + d') ■ {i' + a + d) 

. ^f + h')-{j + h) 

■ {k' + i + j) ■ {k' + i' + f) ■ {k + i' + j) ■ {k + i + f). 

Now, remember that in our application the Boolean network AA we consider is a 
miter of some circuits F and G. Assume that k is the variable associated to the 




SAT and ATPG based Equivalence Checking 



103 



primary output of J\f. Then, expanding x(AA) by clause k results in a formula 
x(AA) • k which is satisfiable if and only if the combinational circuits F and G 
are not functionally equivalent. 

1.2 Algorithms for SAT-solving 

Most algorithms for solving the SAT problem for conjunctive normal forms 
are based on the Davis-Putnam procedure [35] and Davis-Logemann-Loveland 
procedure [34]. In the following, let us follow the original paper of Davis and 
Putnam [35]. 

1.2.1 Davis-Putnam / Davis-Logemann-Loveland procedure 

The Davis-Putnam procedure (DP) and Davis-Logemann-Loveland procedure 
(DLL) is based upon the iterative application of several rules, namely 

■ two termination rules, 

■ two Boolean Constraint Propagation rules (BCP), 

- the one-literal clause rule 

— the monotone variable fixing rule, and 

■ the variable elimination rule. 



Termination rules. The termination rules which are applied are the follow- 
ing: 

Termination rule I if x is the empty conjunctive normal form, then x is satis- 
tiable. 

Termination rule II if x contains an empty clause, then x is not satisfiable. 

In the algorithm presented in Figure 5.3 on page 107, procedure TERMl- 
NAL.CASE returns TRUE, if termination rule 1 could be applied, EALSE, 
if termination rule 11 could be applied, or UNSOLVED. In the latter case, the 
SAT procedure has to apply BCP or the variable elimination rule. 

One-literal clause rule. The one-literal clause rule (or unit clause rule) 
states that if a conjunctive normal form x contains a clause c which consists 
of only one literal L, then x can be modified by sfriking out all clauses that 
contain the literal L and deleting all occurrences of the negated literal L' from 
the remaining clauses of M. 
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Lemma 5.1 (one-literal clause rule) Let x be a conjunctive normal 
form and let Xnew be the conjunctive normal form which results if the one- 
literal clause rule is applied to x- Then, Xnew is satisfiable if and only if x is 
satisfiable. 

Proof: ThecorrectnessofthisruleisduetotheequivalencesL-(L-|-i3) =L 
and L • (L' B) = L ■ B, B being any Boolean formula. ■ 

Let us illustrate the one-literal elause rule by applying it to the above example. 
Obviously, we can eliminate variable k in x{-^) ' k: 

</>(x(AA) • A:) / 0 f{{d' + b) ■ {d' -V c) ■ {d -k b' -\- c) 

■ (e' -I- a) • (e -I- a) 

•(/' + &)-(/' + c)-(/ + 6' + c') 

■{9' + f)-{g + f) 

• {h' -|- e) • {h' g) ■ {h e' f) 

■ {i a) ■ {i -|- d') ■ {i' a d) 

• if + h') • (j -b h) 

■ {i + j) ■ {i' + j')) /O. 

Monotone variable fixing rule. The monotone variable fixing rule (positive- 
negative rule, or pure literal rule) resembles the above elimination rule. It 
claims that if variable Xi occurs in the conjunctive normal form x only either 
as positive or negative literal, then all clauses which contain variable Xi may 
be deleted. 

Lemma 5.2 (monotone variable fixing rule) The resulting conjunc- 
tive normal form is satisfiable if and only ifx is satisfiable. 

Proof: Without loss of generality, let us assume that none of the clauses 

of X contains the negative literal xf . Then x can be written as x = T) ■ I 
where D and I are conjunctive normal forms. D consists of the clauses of x 
which contain variable Xj. I consists of the clauses which are independent of 
Xi- Since I does not contain variable Xj, D can be satisfied by setting Xj to 1 
without affecting the satisfiability of I. Thus, x is satisfiable if and only if I is 
satisfiable. ■ 



Variable elimination rule. The variable elimination rule or splitting rule 
eliminates variables in conjunctive normal forms. Let the given conjunctive 
normal form x be put into the Boolean formula 

{A + Xi) ■ {B -b Xi) ■ I, 
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where A, B, and I are conjunctive normal forms which are independent of 
variable x*. A and B are obtained by grouping together the clauses of x that 
contain variable Xi and factoring out the occurrences of Xi and the occurrences 
of Xi, respectively. I consists of the remaining clauses of x- Then the following 
two logically equivalent rules hold. 

Lemma 5.3 (Variable elimination rule) x not satisfiable if and 
only if {A + B) I is not satisfiable. 



Lemma 5.4 (Splitting rule) xts not satisfiable if and only if A- 1 is not 
satisfiable and B ■ I is not satisfiable. 



Proof: x is not satisfiable, i.e., (f){x) = if nnd only if both the positive 
cofactor <^(x)o: =i if*® negative cofactor f{x)x =o °f '/’(x) with respect to 
Xi are not satisfiable. Because of 

(t>{x)xi=i = 4>{B ■ I) and 4>{x)xi=o = 

the equivalence 

(/>(x) = 0 c!){A • /) = 0 and f{B • /) = 0 

holds. Thus, X is satisfiable if and only if A • / is satisfiable or B • / is salisfiable, 
i.e., if and only if 

f{{A-I) + {B-I))^0 

holds. ■ 

Although theoretically both the variable elimination rule and the splitting rule 
are equivalent, usually the splitting rule is used since the variable elimination 
rule can easily increase the number and the lengths of the clauses in the expres- 
sion after several applications [34, 37, 49]. 



A simple implementation of DLL is shown in the next section. However, 
before going into more details, we illustrate DLL by applying it to the above 
conjunctive normal form x(-^) ' k which has already been reduced by the 
elimination of one-literal clauses. It is easy to see that BCP is not applicable. 
Thus, we have to apply the splitting rule. So, let d be the variable we want to 
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eliminate in the next iteration. Then 

A = (6' + c) • (i' + a) 

B = (6)-(c)-(i) 

I = {e + a) • (e + a) 

• (/' + 6)-(/' + c)-(/ + 6' + c') 

• {g' + f)-{g + f) 

■ {h' + e) • {h' + g) -{h + e' + g) 

■ (i + a) 

■ {3 +h')-{j + h) 

• (i + j)-(i'+/)- 

Thus, to prove satisfiability of x{Af) ■ k, we have to check whether 4>{A • /) / 0 
or (j){B • /) / 0. Let us start with B ■ I where BCP can be applied. Eliminating 
the three one-literal clauses {6}, {c}, and {i} of the conjunctive normal form 
B • I results in 

4>{B-I)j^0 4>{{e' + a) ■ {e + a) ■ if) 

■{g' + f)-{g + f) 

• (h' + e) • {h' + g) ■ {h + e' + g') 

■{ 3 ' + h')-{j + h)-{j')) ^0. 

The next iteration of BCP eliminates the one-literal clauses {/} and {/}. Thus 

4 >{B-I)^Q 4 >{{e' + a') ■ {e + a) ■ {g') ■ {h' + e) 

■ {h' + g) ■ {h + e' + g') ■ {h)) / 0 

holds. By eliminating the one-literal clause {g'} in the next iteration, the right 
side of the above equivalence reduces to the conjunctive normal form 

(e' -I- a') • (e + a) • {h' + e) • {h') • (/i), 

which is not satisfiable because there are both, the one-literal clause {K} and 
the one-literal clause {h'}. This fact is detected by DLL by eliminating clause 
{h'} which results in the conjunctive normal form 

{e + a) • (e-ha) • (), 

which contains the empty clause 0. 

Thus, x{Af) ■ k is satisfiable if and only if A • / is satisfiable. 

Before closing the section we will stress that for most SAT solvers a major 
portion (about 90% in most cases) of the solver’s run time is spent in the BCP 
process [1 12, 136]. Therefore, an efficient BCP engine is the key to any efficient 
SAT solver. 
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1.2.2 Implementation of the Davis-Logemann-Loveland procedure 

An overall Davis-Logemann-Loveland algorithm is shown in Figure 5.3. The 
algorithm is called by SATISFY(x). In the BCP phase, the one-literal clause 



SATISFY(x) 

begin 

switch BCP(x) 
case SUCCESS: 
case FAILURE: 
case UNSOLVED: 
end; 



return SUCCESS; 
return EAILURE; 
return SPLIT(x); 



BCP(x) 

begin 

if TERMINAL_CASE(x,reswZt) then return result fi; 

while X can be simplified by a Boolean constraint rule 
do simplify x; 

if TERMINAL_CASE(x,resuZt) then return result fi; 

od; 

return UNSOLVED; 

end; 



SPLIT(x) 

begin 

choose a literal L occurring in x; 

if SATISFY(x • L) then return SUCCESS else return SATISEY(x • L') fl; 

end; 



Figure 5.3. Davis-Logemann-Loveland procedure 

rule and the monotone variable fixing rule are iteratively applied to the conjunc- 
tive normal form x- After each step, procedure TERMINAL_CASE() checks 
whether one of the termination rules can be applied. BCP() returns either value 
SUCCESS, EAILURE, or UNSOLVED. If the satisfiability problem cannot be 
solved by the BCP procedure, the (new) conjunctive normal form x has to be 
split with respect to some literal L which is determined by some branching 
rule. Note that, x ' ^ is satisfiable only if value 1 is assigned to literal L. Thus, 
X • L is satisfiable if and only if the cofactor of x with respect to L = 1 is 
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satisfiable. Thus the splitting phase of the above implementation realizes the 
splitting rule of DLL. 

1.2.3 Branching rules 

In the splitting phase, a literal L which occurs in x is chosen and DLL generates 
two sub-problems: the first one in which value 1 is assigned to L and the second 
one in which L is set to value 0. It has been experimentally shown that the choice 
of the literal which is used for splitting makes an impact on the efficiency of 
DLL. The branching rule a SAT algorifhm uses is one of fhe dominanf factors 
in ifs success. 

Following fhe safisfacfion hypofhesis [61] "Ofher fhings being equal, a branch- 
ing rule performs beffer when if creafes simpler subproblems", good branching 
heurisfics are fhose which choose a liferal L such fhaf BCP(x • L) and BCP(x • L') 
are as simple as possible. Nofe fhaf BCP(x • L) and BCP(x • L') exfend fhe 
currenf (partially defined) assignmenf fo fhe variables by following fhe logical 
consequences of fhe assignmenf L = 1 and L = 0, respecfively. 

In fhe following, lef us presenf fhe branching rules mosfly applied in pracfice 
[49, 59, 61, 69, 90, 97, 148]. All of fhem give preference to variables or liferals 
which occur in small clauses. By fhis means, fhe conjunctive normal form x 
is quickly fransformed info a form which confains one-liferal clauses such fhaf 
BCP can be applied and conllicfs can be found. In Section 1.2.4 we will see 
fhaf defecfed conflicfs help prune fhe search space. 

mom’s Heustistic. Maximum Occurrences on clauses of Minimum sizes 
(MOM) is a branching rule which gives preference fo variables fhaf occur fre- 
quenfly as posifive as well as negative liferal in fhe shorfesf clauses of x- More 
formally, lef 

fk{L) = |{c; c G X, |c| = k, and L e c}\ 

be fhe number of occurrences of liferal L in clauses which consisfs of k liferals 
and K be fhe lengfh of a shorfesf clause of x, then f^iL) denotes the number of 
occurrences of literal L in the shortest (unresolved) clauses of x- Now, MOM’s 
heuristic selects a literal L such that /k{L) + fniL') is maximal. In order to 
obtain subproblems of approximately equal sizes, the minimum of these two 
quantities /k(L) and f^iL') should be maximal. These criteria can be modelled 
by 

max {(A(L) + UL')) ■ 2^ + /,(L) • /^L')} 

literal L 

for some adequate constant s. (Cf. [49, 94]). 

Jeroslow-Wang rules. There are two Jeroslow-Wang [69] branching rules. 
Both rules give preference to literals that occur often in small clauses of x as 




SAT and ATPG based Equivalence Checking 



109 



well, but in a more sophisticated way than MOM’s heuristic does. They are 
based on the function JW which associates a literal L with the weight 

JW{L) = 2-1^1. 

cSx, isc 

The one-sided JW branching rule selects the literal L with the largest value 
JW{L). The two-sided JW branching rule selects a variable Xi such that the 
combined value JW{xi) + JW{xi) is maximal. In the algorithm shown in 
Figure 5.3, literal L is set to Xi, if JW (xj) > JW (x/) holds (and the two-sided 
JW branching rule is applied). 

1.2,4 Pruning the search space hy using detected conflicts 

Given an initial conjunctive normal form x, one can attempt to augment it with 
additional clauses to increase the deductive power during the search process. 
This technique is called clause recording, in literature (cf. [80]). Let us justify 
the statement just made by an example. 

Let X be the conjunctive normal form defined by 

(xg + Xu) ■ (a;i0 + ■ (x/ + X2 + Xg) 

• (xi + Xii) • (x/ + X3 + Xg + Xio' + Xn) • {X2 + X3' + X4) 

• (X4' + X 5 + xeO • (X4' + xe) • (xs' + xe') 

• (xi + X7 + X12O • xi 

where xi is some adequate conjunctive normal form. Let us assume that BCP 
is not applicable to formula x because of subformula xi and that literal xg is 
chosen by the branching rule, i.e., SATISFY(x • xg') is called. Applying BCP 
to X • Xg results in 

(xio + X15') • (xii' + Xie) • (xi' + X2) • (xi + Xii) 

• (xi' + X3 + xio' + Xn) • {x 2 + X3' + X4) • (X4' + X5 + xq) 

■ (X4' + Xe) • (xs' + xeO • (xi + xy + xu) ■ X2- 

Once again, we assume that the algorithm has to branch and that literal xig 
is chosen by the branching rule this time. Applying BCP to the subproblem 
BCP(x • Xg') • xio results in 

(xii' + xie) • (xi' + X2) • (xi + Xn) • (x/ + X3 + xn) 

• {X 2 + X3' + X4) • (X4' + X5 + XeO • + Xq) 

■ (xs' + XeO • + xj + X12O • X 3 - 

In the next iteration, literal xn' may be chosen to split the problem and we 
obtain 

(xi' + X2) • (xi) • (xi' + X3) • {X2 + X3' + X4) • (X4' + X5 + XeO 

• (X4' + Xe) • (xs' + XeO ' + xt + xu) ■ X4- 
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Now, BCP assigns value 1 to variable x\ because there is a clause which only 
consists of literal x\. This assignment reduces the above formula to the con- 
junctive normal form 

(X2) ■ (Xs) ■ {X2 + X3 + X 4 ) ■ {Xi + X 5 + Xq) 

■ {Xi + Xe) ■ (X 5 ' + Xe) ■ X5- 

Once again, there are one-literal clauses and BCP assigns value 1 to the literals 
X 2 , X 3 , and X 4 in the further iterations which results in 

(x5 + Xe) ■ (xe) ■ (X5' + Xe) ■ xs- 

Because of the one-literal clause {xe}, BCP transforms this conjunctive normal 
form into 

( 3 ^ 5 ) • ( 3 ^ 5 ') • X9, 

which results in a conflict in the next iteration of BCP This conflict is due to 
the decisions made by the branching rule, namely the assignment of value 0 to 
variable xg, value 1 to variable xio, and value 0 to variable xn- Because of the 
conflict, any satisfying assignment of x must satisfy clause xg + 3 ^ 10 ^ + 3 : 11 . 
Thus, X can be augmented by this new clause which is called conflict induced 
ciause. The conflict induced clause averts future occurrences of the same 
conflict as whenever two of the three literals are deleted from this clause by 
DLL, the one-literal clause generated in this way takes care that we are not led 
to the same conflict. 

Different conflict analysis procedures which compute conflict induced clauses 
have been proposed in literature. We refer to [95, 96, 97, 112, 148, 149]. We 
will describe the underlying ideas of conflict analysis procedures in the next 
section. 

1.2.5 Conflict analysis procedure 

In order to obtain efficient conflict analysis procedures, each branching decision 
made by SPL1T() and each implication drawn by BCP() is captured by an 
impiication graph [97] which is a directed graph defined as follows: 

■ Each node of the implication graph is either an assignment node or a conflict 
node. There is at most one conflict node. 

■ Each assignment node corresponds to an assignment {0,1} of a variable 

Xi of the initial conjunctive normal form under consideration. In DEE, 
variable assignments are carried out either by the splitting phase or the 
BCP phase. As variable assignments made by the BCP phase are logical 
implications, the corresponding nodes of the implication graph are called 
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induced nodes. The nodes which correspond to variable assignments carried 
out hy the branching rule are called decision nodes. Each node is tagged 
with this information. Note that for the sake of convenience we will often 
call a node by its corresponding variable assignment. 

■ An induced node v has predecessors. The predecessors are those variable 
assignments which directly imply the variable assignment node v stands for. 
More formally, let c = {L \ . . . , Lk] be a clause of the initial conjunctive 
normal form under consideration . If the SAT solver has assigned value 0 to 
each of the literals L\, . . . Lk-i, then literal has to be assigned value 1 in 
order to satisfy clause c (see the one-literal clause rule). Thus, the induced 
node Lfc = 1 and k — 1 edges ei, . . . , Sk-i are inserted into the implication 
graph by the BCP phase. Edge Cj leaves node Lj = 0 and enters the induced 
node Lfc = 1 . 

■ The conflict node has predecessors as well. The predecessors of a conflict 
node are those nodes whose variable assignments are directly responsible 
for the conflict. 

■ A decision node has no incident predecessor. 

The implication graph is used for conflict analysis and performing implications. 
As performing implications is a very time-consuming task in formal equivalence 
checking, it is very important to use an efficient and suited data structure. Eor 
more details, we refer to [137]. 

Eigure 5.4a shows the implication graphs of the first five steps carried out in 
the example shown in Section 1.2.4. Eor illustration, we have enumerated the 
clauses of the initial conjunctive normal form x: 

1 : (xg' -f Xu) 

2 : (xio + xis') 

3 : (xii' -f xie) 

4 : (xi' -I- X 2 + Xg) 

5 : (xi + xii) 

6 : (xi' + X 3 + Xg -I- xio' + xii) 

7 : (x 2 ' + xs' + X 4 ) 

8 : (X4' + X5 + xeO 

9 : (X 4 ' + xe) 
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Figure 5 . 4 a. First five implication graphs of the example from above. 



10 : (xs' + Xq) 

11 : (xi + X7 + X12) 

12 : ... 

Decision nodes are marked by hatching. Edges are tagged with the clause which 
is responsible for the implication. For example, in Step 5 the sixth clause 

{Xi + X3 + Xg + Xio' + Xii) 
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is responsible for the assignment of value 1 to variable X3 as all its literals but 
X3 are not satisfied by the variable assignment made by the time. Thus, there 
are edges from the nodes x\ = 1, xg = 0, xio = 1, and x\i = 0 to the induced 
node X3 = 1. The final implication graph after having detected the conflict is 
shown in Figure 5.4b. 
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Figure 5.4b. Final implication graph. 



Given an implication graph with a conflict node, the variable assignments car- 
ried out by the branching rule which are responsible for the conflict node can 
be gathered by inverting all the edges of the implication graph and exploring 
the graph starting at the conflict node. An exploration path is aborted if a deci- 
sion node is reached. More formally, given a node v of the implication graph, 
the set of decision nodes which are responsible for the corresponding variable 
assignment is given by 



causes{v) 



where 



V, if n is a decision node 

Uw&pred{v) causes{w ) , if n is an induced node 



pred{v) = {w; {w, v) is an edge of the implication graph} 
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is the set of the direct predecessors of v in the current implication graph (cf. 
[97]). 

In our example the assignments xg = 0, xio = 1, and xn = 0 are responsible 
for the conflict, i.e., if the formula xg' • xig • xn' evaluates to 1, then the above 
conflict appears. Negating the formula results in the clause (xg + xig' + xn). 
This clause has to be satisfied for every variable assignment which satisfies the 
initial conjunctive normal clause x- 

More sophisticated conflict analysis procedures (see for example GRASP (Generic 
seaRch Algorithm for the Satisfiable Problem) [97] and CHAFF [112]) take ad- 
vantage of the fact that each cut of the implication graph which has all the 
decision nodes on one side (called reason side) and the conflicting node at the 
other side (called conflict side) defines a conflict induced clause [149]. All the 
nodes on the reason side which have at least one edge to the conflict side are 
part of the reason for the conflict. Figure 5.5 shows three different cuts which 

Vp 0 j ^10 ^ ^11 9 / 



( x2=\ y ; 





cut _3_ 



conflict 



x^=l 
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i>6=l 
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X5=0 
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Figure 5.5. Some cuts of the implication graph. 



imply the conflict induced clauses 



Xg + Xio' + Xii 

/ I / 

X2 +X3 , 
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and 



X4', 

respectively. This observation leads to the idea of generating stronger conflict 
induced clauses, i.e., clauses which contain fewer literals. This can be done by a 
more careful analysis of the structure of the implication graph. For example, in 
[97] so called unique implication points play a decisive role in this context. A 
unique implication point with respect to a detected conflict represents a variable 
assignment which, by itself, can trigger sequences of implied assignments that 
yield the conflict. 

Definition 5.3 (unique implication point) A node v of the implica- 
tion graph is said to dominate another node w of the implication graph, if and 
only if any path from the latest decision node to node w needs to go through 
node V. A node which dominates the conflict node of the implication graph is 
called unique implication point. 

For illustration, consider the implication graph shown in Figure 5.4b. Node 
X 4 = 1 is a unique implication point. Indeed, the induced variable assignment 
X 4 = 1 yields by itself the identified conflict. The more general case is shown 
in Figure 5.6. Let us assume that node X7 = a (a G {0, 1}) is the latest decision 
node. Then, node xs = 6 (6 G {0, 1}) dominates the conflict node as any path 
from node X7 = a to the conflict node goes through node xs = b. In GRASP 
[97], two clauses are added to the clause database if a unique implication point 
is found. The first clause corresponds to the cut where the variable assignments 
induced by the unique implication point are put on the conflict side and the 
remaining nodes are put on the reason side. In the implication graph of Figure 
5.6, this clause is given by 

I f < I / , b' 

Xi + X 2 + X3 + X4 + Xg 

where Xg and Xg denote xf and xs, respectively. The second clause added by 
GRASP describes the reconvergence between the latest decision node and the 
unique implication point. That is, clause 

Xg + Xg + X4 + X7 + X5 + Xq , 

which describes the logical implication 

(xg' • X4 • X7 • xf ■ Xe) ^ Xg, 

is added in our example. Note, that, in some sense, the two clauses completely 
specify the current conflict. 
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Figure 5.6. Unique implication point. 



1.3 Using BDDs to speed up SAT methods 

In [55] and [123], Boolean satisfiability methods have been integrated with 
BDDs to reduce both the problem size and the number of backtracks for the 
satisfiability problem. We review both approaches in the next two subsections. 

1.3.1 The approach of Gupta and Ashar 

In the approach of [55], the miter is partitioned such that the output of the miter 
is on one side and the primary inputs of the miter are on the other side. A 
single BDD is used to capture the fanout part, that is the partition of the miter 
near its output. SAT clauses capture the fanin part. For illustration, see Figure 
5.7 which shows a miter partitioned into a fanin part and a fanout part. The 
ROBDD which describes the fanout part is shown in Figure 5.7 as well. The 
conjunctive normal form xi-^fanin) which describes the consistent signal line 
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fanin part 



fanout part 
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Figure 5.7. Illustration of the approach of Gupta and Ashar [55]. 



assignments of the fanin part of the eircuit is given by 

X{-^fanin) = {d + b) ■ {(1 + c) ■ {(1 + b c') 

• (e' + a') • (e + a) 

• (/' + 6)-(/' + c)-(/ + 6' + c') 

• {i + a) ■ {i + d') ■ {i' + a + d). 

The BDD and the eonjunctive normal form share variables, namely those which 
correspond to signal lines crossed by the boundary between the fanin part and 
the fanout part (which we call cut in the following as well). These variables 
are called cutset variables. In the above example, the set of the cutset variables 
consists of the signal lines i, e, and /. 

Now, remember that the objective is to check whether there is an assignment 
to the primary inputs of the miter such that its output line evaluates to value 
1. It is straightforward to see that the miter is satisfiable if and only if there is 
an assignment to the cutset variables which is in the on-set of the BDD of the 
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fanout part and which can be extended to an assignment to the signal lines of 
the fanin part which satisfies the conjunctive normal form xi-^fanin)- Look at 
our example. Assigning the logic values 1, 0, and 1 to the cutset variables e, /, 
and i, respectively, proves the miter to be satisfiable. The assignment (1, 0, 1) 
to (e, /, i) is in the on-set of the BDD of the fanout part and it can be extended 
to a consistent assignment to the signal lines of the fanin part, namely a = 0, 
6 = 0, c = 0, d = 1, e = 1, / = 0, and i = 1 (see Figure 5.8). Because of its 
consistency, this signal line assignment satisfies fhe conjunctive normal form 

fanin)- 




Figure 5.8. Consistent assignment to the signal lines of the fanin part such that the assignment 
of the cutset variables is in the on-set of the BDD of the fanout part. 



A naive implementation of this approach is to enumerate each path which starts 
at the root of the BDD of the fanout part and ends at terminal node 1. For 
each such path, the (partial) assignment to the cutset variables can be taken to 
augment the conjunctive normal forms by the corresponding one-literal clauses. 
In the above example, there are three such paths which correspond to the partial 
variable assignments 

■ e = 0 and i = 0, 

■ e = 1, / = 1, and i = 0, and 

■ e = 1, / = 0, and i = 1, 
respectively. Thus, the three SAT Problems 

" Xi.-^ fanin) ' (^ ) ' (O’ 

■ x(A//anm) ' (e) ' (/) ‘ {i'), and 

■ X(A//anm) ' (e) ' (/') ' (f) 
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have to be solved, independently of each other. If any of these problems has 
a solution, the miter is satisfiable and the two circuits to be compared are not 
functionally equivalent. 

A more sophisticated way has been proposed by Gupta and Ashar [55]. In their 
approach, the SAT engine is applied to the conjunctive normal form xi-^fanin) 
of the fanin part and proceeds as it is described in the above sections. How- 
ever, whenever a cutset variable is being bound in the SAT procedure, they 
check whether the partial variable assignment obtained so far has a non-null 
intersection with the on-set of the BDD, i.e., whether the partial assignment to 
the cutset variables can be extended to a full assignment to the cutset variables 
which is in the on-set of the BDD. If it does not, each extension of the current 
partial assignment to the cutset variables can be ruled out. This Early Bounding 
approach essentially prunes off large subspaces of the decision tree. 

1.3.2 The approach of Reda and Salem 

In the approach of [123], the miter is also partitioned such that the primary 
output of the miter is on one side and the primary inputs of the miter are on the 
other side. However, the conjunctive normal form is built for the fanout part 
and the ROBDD Fg of every cutset variable s is built. Figure 5.9 illustrates the 
idea. It shows the ROBDDs of the cutset variables as well. The conjunctive 
normal form xi-^fanout) which describes the consistent signal line assignments 
of the fanout part of the circuit is given by 

xi-^fanout) = {g' + f) ■ {g + f) 

■ {ii -h e) • {h' + g)-{h + e + g) 

. + h')-{j + h) 

• {k' + i + j) • {k' + i' + j) 

• {k + i' + j) • {k + i + j). 

In order to check the consistency of the variable assignments made by the SAT 
engine applied to xi-^fanout) ' k, a ROBDD B is used to store the characteristic 
function of the set of the assignments to the primary miter inputs. These inputs 
imply the variable assignments to the cutset variables already bound by the SAT 
engine. The ROBDD B is initialized to the constant BDD 1. Now, whenever 
a cutset variable v is assigned a value G {0, 1} by the satisfiable engine, 
ROBDD B is updated. It is intersected with either if = 1 or NOT{F^) 
if = 0. If at any time ROBDD B reduces to 0, a contradiction has been 
found. The SAT engine has to backtrack. 

For illustration, consider the circuit shown in Figure 5.9. Assume that the SAT 
engine decided to assign value 0 to variable i and value 1 to variable j. The 
latter decision directly implies the variable assignment h = 0. After these 
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Figure 5. 9. Illustration of the approach of Reda and Salem [123]. 



variable assignments, the current conjunctive normal formal of the fanout part 
is given by 

{9' + n-{9 + f)-{e+g'). 

At this time, ROBDD B is equal to the ROBDD NOT(Fi) as variable i is the 
only cutset variable which is bound. Now assume that the SAT engine decides 
to assign value 0 to g. This directly induces that value 1 is assigned to cutset 
variable /. The conjunctive normal form above is satisfied. However, the 
intersection of the current ROBDD B and ROBDD Ff is 0. Thus, there is no 
assignment to the miter inputs which justifies the current variable assignment 
of the cutset variables i and /. A conflict has been detected and the SAT engine 
has to backtrack. 

2. ATPG based equivalence checking 

ATPG {automated test pattern generation) based equivalence checking is closely 
related to SAT based equivalence checking. The most important difference be- 
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tween SAT and ATPG results from the fact that SAT-algorithms operate on con- 
junctive normal forms while ATPG-algorithms generally operate on Boolean 
networks. While research around SAT started in the context of automated the- 
orem proving and was regarded as a subfield of artificial infelligence, research 
in ATPG was primarily driven by circuif fesfing. For a defailed comparison of 
SAT and ATPG we refer fo [80]. 

Secfion 2.1 and Secfion 2.2 parfly follow [1]. 

2.1 Introduction 

In fhe following we give a shorf infroducfion fo circuif fesfing, and show fhe 
inferrelafion of circuif fesfing and combinafional equivalence checking. 

2.1.1 Circuit testing 

Let AA be a Boolean network and G be the Boolean function 

represented by J\f. The presence of a fabrication fault p transforms J\f into a 
new circuit A/j,. Let us assume that A/j, is a Boolean network as well, and that 
its behavior is described by the Boolean function G Bn,m- The problem 

of testing for fault p is to find an input vector a G {0, 1}” such that 

(t>{M){a) / 4>{Mp){a) 

holds. Such a vector a is called test vector or distinguishing vector for fault p. 
If AA is a hardware implementation of a single-output Boolean function, then a 
vector a is a test vector for some fault p if and only if 

(f){Af){a) © (p{J\fp){a) = 1. 

2.1.2 The stuck-at-fault model 

Physical faults are partly modelled by logical faults. This approach reduces the 
complexity of testing as many different physical faults can be modelled by the 
same logical fault. Moreover, the problem of fault analysis becomes a logical 
rather than a physical problem. 

In many technologies, a short between ground or power and a signal line or 
an open on a unidirectional signal line can make the signal remain at a fixed 
voltage level [33]. This behavior is modelled by the stuck-at-fault model. A 
stuck-at-fault is a logical fault which consists of a signal being stucked at a 
fixed logic value 6 G {0,1}. It is denoted by s-a-6. 

For testing a signal e for s-a-6, a vector has to be found that activates the fault, 
i.e., assigns value h’ to signal e in the faultless circuit. This phase is usually 
called justification process or activation process. Thus, different values occur 
at the site of the fault in the faultless and in the faulty circuit. This difference 
has to be propagated to a primary output. 
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2.1.3 Testing and equivalence checking 

Let us look at the miter shown in Figure 5.1. The Boolean networks F and G 
are functionally equivalent if and only if there is no assignment to the primary 
inputs of the miter such that the output line evaluates to 1. To test the output 
for s-a-0, a test vector has to be applied that activates the fault, i.e., satisfies the 
miter. Thus, in some sense, combinational equivalence checking is a special 
case of testing for stuck-at-faults. Only the activation phase has to be carried 
out, the propagation phase can be omitted. 

2.2 Basic methods for ATPG based equivalence checking 

As just mentioned, we only have to concentrate on the activation phase. Con- 
sider the miter of Figure 5.2, once again. In order to justify value 1 at output k, 
either signal line i or signal line j has to be assigned value 1. Thus, the search 
for a solution involves a decision process. Let us first try to justify i = 1 and 
j = 0. For illustration, please see Figure 5.10. By backward implication, the 




Figure 5.10. Justifying i = 1 andj = 0 



signal assignment j = 0 induces assignment h = 1. Iteratively, it implies the 
assignments e = 1, g = I, a = 0, and / = 0 by backward implication. To 
justify / = 0, signal line b or signal line c has to be assigned value 0. Both 
alternatives directly induce that value 0 has to be assigned to signal line d. As 
both, signal line a and signal line d are assigned value 0, signal line i has to 
be 0 as well. However, this conflicts with the fact, that we wanted to justify 
i = 1. Thus, we have to backtrack and try to justify i = 0 and j = 1. Since 
this justification process results in a conflict also, there is no assignment to the 
primary inputs of the miter which activates s-a-0 at output k. Thus, output k 
cannot be tested for s-a-0 and the two circuits are functionally equivalent. 
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2.2.1 Justification procedure 

For the justification procedure, in addition to the values 0 and 1 a third logic 
value X which describes the unknown value is required. In a preprocessing 
step, value X is assigned to each signal line but the primary output signal of 
the miter which is assigned value 1. 



JUSTIFYO 

begin 

ifIMPLICATION()=FAILURE then return FAILURE fi; 
if J-frontier is the empty set then return SUCCESS fl; 
select a gate G from J-frontier, 

repeat 

select one untried (partial) assignment of the inputs of G, 
which justifies the assignment at the output of G, and 
update J-frontier, 

if JUSTIFY()=SUCCESS then return SUCCESS fl; 
restore J-frontier, 

until no untried assignment of the inputs of G exists; 
return FAILURE; 

end 



Figure 5.11. Justification procedure 

During the justification process, we have to keep track of the currently un- 
justified output signals of gates, i.e., output signals of gates which have been 
assigned a value of 0 or 1, but where this value is not yet implied by the logic 
values at the gate inputs. The set is called J-frontier. Thus, at the beginning of 
the justification process J-frontier consists of the output signal line of the miter 
only. 

Figure 5.11 outlines the justification procedure. Procedure IMPLICATIONQ 
computes all signal line assignments which can uniquely be determined by 
implication, maintains the J-frontier, and checks for consistency. If the con- 
sistency check fails, the procedure reports FAILURE. First of all, local im- 
plications are applied by procedure 1MPL1CAT10N(). Local implications are 
implications which propagate values over one basic gate. Exemplarily, the local 
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implications which correspond to the AND-gate and the EXOR-gate are shown 
in Table 5.2a and Table 5.2b, respectively, z denotes the output signal line of 
the basic gate. The input signal lines are denoted by x\ and X 2 - 
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Table 5.2a. The local implications of the AND-gate 
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Table 5.2b. The local implications of the EXOR-gate 
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The efficiency of the justification process strongly depends on the power of the 
local and global implications used. Global implications have to be learned. 
We are going to present learning strategies in Section 2.2.2. These results are 
mainly due to Kunz [82]. 

After application of the implication rules, the justification process checks whether 
there are unjustified signal assignments. If the J-frontier is empty, then all the 
signal assignments made are justified by the signal assignments to the primary 
inputs of the miter. Otherwise, a gate G whose output is unjustified is chosen. 
At this point, (usually) there are several alternative ways to solve the local jus- 
tification problem. For example, assume that G is an AND-gate whose input 
signal lines are assigned value X and whose output signal is assigned value 0. 
Then, the justification process has to assign value 0 to one of the input signal 
lines of G. The algorithm selects one of the alternative ways and tries to solve 
the problem. This process continues until a solution is found or all possible 
choices have failed. More details on this basic backtracking algorithm can be 
found in [1] 

2.2.2 Learning global implications 

As already mentioned, the efficiency of the justification process strongly de- 
pends on the available implications rules. In addition to local implication 
rules, global implication rules which involve larger areas of the circuit and 
reconvergent fanouts are necessary to obtain a powerful justification engine 
[133, 134, 135]. Figure 5.12 shows the circuit often used for illustration of 
global implications [1, 82]. Obviously, the assignment c = 1 at the output line 




Figure 5.12. Global implication rule. 



of the OR-Gate cannot be justified by local implications. At first glance, we 
have to decide whether we try to justify c = 1 by setting either o = 1 or 6 = 1, 
at first. However, a closer look reveals that X 2 has to be 1, independently of 
the chosen alternative. This can easily be 'Teamed" by assigning value X 
to all signal lines but X 2 which is assigned value 0. By local implications, it 
can be concluded that signal lines a and b are assigned value 0, too. Thus, the 
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assignment X 2 = 0 implies the assignment c = 0. Thus, we have obtained the 
implieation 

X 2 = 0 ^ c = 0. 

By means of contraposition, the implication transforms into 

C = 1 X2 = 1 

which is of larger interest, since it cannot be obtained with local implications 
only. 

Schulz et.al. [134] proposed to conduct learning in a preprocessing phase, i.e., 
before the justification process is invoked. This approach which is called static 
learning tries to identify logic relations between signals of the circuit under 
consideration. They assign the values 0 and 1 after each other to every signal in 
the circuit and examine their logical consequences by applying local implication 
rules and global implication rules stored already before. These implication 
rules are transformed by contraposition. A learning criterion checks whether 
the implications derived by contraposition can be directly derived by local 
implications as well. In this case, it is not worthwhile to record the implication. 
For illustration, consider the circuits shown in Figure 5.13 and 5.14. Assume 




Figure 5.13. Global implication rule that is worthwhile to record. 



that in the circuit of Figure 5.13 value X is assigned to each signal line but 
signal d which is assigned value 1. By local implication, the signal lines a and 
c have to been assigned value 1, too. Because of a = 1, the primary input 
signals x\ and X 2 have to be set to value 0 which directly induces 6 = 0. As 
signal lines 6 and c are assigned value 0 and 1, respectively, the primary input 
signal Xi has to be set to value 1 in order to justify d = 1. Thus, by the 
iterated local implication process, the assignment of value 1 to signal line d 
directly implies signal assignment X 4 = 1. By means of contraposition, this 
implication transforms into the implication 

X4 = 0 d = 0. 

A closer look reveals that this new implication cannot be derived by applying 
local implications only. Thus, it is worthwhile to learn and record it. 
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Now consider the circuit shown in Figure 5.14 and assume that value X is 
assigned to each signal line but signal line a which is assigned value 1. The 




Figure 5.14. Implication rule that is not worthwhile to record. 



direct consequences found by local implications are x\ = 0, X 2 = 0, b = 0, 
and c = 0. Thus, the implication 

a = 1 ^ c = 0 

holds. By contraposition, we obtain the implication 

c = 1 ^ a = 0. 

Obviously, this implication can be directly found by local implications, too. 
Signal assignment c = 1 directly implies x\ = 1 and x\ = 1 directly implies 
a = 0. Thus, it is not worthwhile to learn this ’’new” implication. 

2.2.3 Recursive learning 

The techniques just presented do not find all (local and global) implications. 
Look at the circuit shown in Figure 5.15 and assume that signal line h has been 
assigned value 0. Obviously, no local implication can be applied. Furthermore, 
the approach proposed by Schulz et. al. [ 1 34] which we have presented in Section 
2.2.2 cannot identify a global implication: In order to learn a global implication 
of the form /i = 0 ^ . . ., it has to find a value assignmenf fo exacfly one signal 
line (buf h) which implies h = 1. However, such an assignmenf does nof exisf 
because fhe assignmenfs of signal line e and x^ are independenf from each 
ofher. 

Neverfheless, fhere exisfs a necessary assignmenf implied by /i = 0. This 
implication can easily be found by case differenlialion: In order fo juslify 
/i = 0 eifher x^ = 0 has fo hold or e = 0 has fo hold. 

■ In fhe firsl case, fhe assignmenfs g = I and z = 0 are direcfly implied. 

■ In fhe second case, fhe assignmenfs a = 0, and 6 = 0 are implied. In order 
fo juslify a = 0 a new case differenlialion has fo be performed. In bolh 
cases, xi = 0 and X 2 = 0, we observe lhal c = 0 holds. Thus a = 0 implies 
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Figure 5.15. Circuit to demonstrate that not all global implications can by found by the tech- 
niques presented in Section 2.2.2. 



c = 0. Analogously, 6 = 0 implies d = 0. This implies the assignments 
/ = 1 and i = 0. 

Thus, signal line i has to be assigned value 0 in order to justify h = 0. We have 
found the implication 



h = 0 ^ i = 0 



by case differentiation. 

Kunz and Pradhan [81] have developed a method called recursive learning 
which can identify all assignments to signal lines implied from an existing 
situation of value assignments in the circuit. Readers interested in more details 
should study [81, 82] where further advanced learning strategies are presented. 

2.3 General automatic test pattern generation 

In order to fully understand the next chapters, we have to come back to general 
automatic test pattern generation. As already mentioned on page 12 1 , for testing 
a signal line e for stuck-at-6 with 6 G {0, 1}, a distinguishing vector a has to be 
found. This assignment a to the primary inputs activates the fault, i.e., assigns 
value 6' to signal e in the faultless circuit. Thus, different values occur at the 
site of the fault in the faultless and in the faulty circuit. This difference at the 
fault location has to be propagated to a primary output. Since we only needed 
to pay attention to the activation phase to understand the verification approach 
presented in Section 2.2, we have to go into the propagation process, now. 

By assigning a value a G {0, to the primary inputs of a circuit J\f which 
activates a s-a-6 fault p, there is at least one signal line s of circuit J\f which 
has different values in the faultless circuit J\f and the faulty circuit J\fp. At least 
one of these ’’errors” has to be propagated to a primary output. In order to keep 
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track of the error propagation, Roth [124] proposed to consider composite logic 
values of the form where Ps and pi^'^ are values of the same signal s 

in M and Mp, respectively. Thus, a 5-valued logic {0/0, 1/1, 1/0, 0/1, X/X} 
is used, where the composite values 0/0, 1/1, 1/0, 0/1, and X/X are denoted 
by 0, 1, D, D, and X [1]. Table 5.3 shows the laws which hold in this logic 
with respect to the AND-gate, the OR-gate, and the inverter. 
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Table 5.3. 5-valued logic [1] 



Now, in addition to the J-frontier (see page 123) we keep track of the gates 
whose output line still has been assigned value X and where at least one of 
its inputs has been assigned value D or value D. This set is called D-frontier. 
The ATPG methods try to move the J-frontier to the primary inputs and the 
D-frontier to the primary outputs. This is done by an iterative process in which 

■ local and global implications are applied, analogously as described for the 
justification process in Section 2.2, and 

■ in cases where no implication exists, a gate from the D-frontier or the J- 
frontier and an assignment of adequate values to the inputs (with value X) 
of that gate is selected such that the D-frontier or the J-frontier is moved. 

The process stops when either at least one primary output of the circuit is 
assigned value D or value D and all assignments are justified by fhe (partial) 
assignmenf fo fhe primary inpufs or if defecfs fhaf fhe faull injecfed is nol 
fesfable. The overall algorifhm due fo Rofh [124] is shown in Figure 5.16. If 
is an extension of fhe justification process shown in Figure 5.11. More defails 
can be found in [1]. 
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ATPGO 

begin 

ifIMPLICATION()=FAILURE then return FAILURE fl; 

if no primary output is assigned value D or value D 

then 

if D-frontier is the empty set then return FAILURE fl; 

repeat 

select one gate G from D-frontier, 

assign values to the inputs of G such that its output is assigned value D or value D, 
and update both sets, J -frontier and D-frontier; 

if ATPG()=SUCCESS then return SUCCESS; 

restore J-frontier and D-frontier and 

undo the assignments made above in this iteration; 

until all gates of D-frontier have been tried; 

return FAILURE; 

fl; 

if J-frontier is the empty set then return SUCCESS fl; 
select a gate G from J-frontier; 

repeat 

select one untried (partial) assignment of the inputs of G, 
which justifies the assignment at the output of G, and 
update J-frontier; 

if ATPG()=SUCCESS return SUCCESS fl; 
restore J-frontier; 

until no untried assignment of the inputs of G exists; 
return FAILURE; 

end 



Figure 5.16. Overall ATPG procedure for Boolean Networks over {NOT, •,•,+,+} [1, 124] 






Chapter 6 



EXPLOITING SIMILARITIES 



Usually, the implementation of a eireuit contains a significant number of internal 
signal lines that have functionally equivalent counterparts in the specification 
of the circuit [25, 77, 79]. Thus, the corresponding miter (see Figure 5.1 on 
page 100) is redundant. 

The structural similarities can be exploited in order to either simplify the miter 
so that the corresponding satisfiability problem becomes easier or partition the 
problem into a set of smaller and simpler combinational equivalence check- 
ing problems. In this chapter, we will present both approaches after having 
reviewed the common basic idea proposed by Berman and Trevillyan [9]. 

1. The basic idea 

One way of exploiting structural similarities during equivalence checking has 
been proposed in [9]. They proposed a decomposition based equivalence 
checker which proves equivalences between internal signal lines and uses these 
internal equivalences to check the equivalence of the circuits being compared. 
The basic idea of their procedure is as follows. Given two signal lines s and t 
being checked for functional equivalence, they derive a simultaneous functional 
decomposition {hg, ht,g) of s and t. 

Definition 6.1 (simultaneous functional decomposition) 

Let fs G Bn and ft G Bn be the Boolean functions which compute the assign- 
ments to s and t, respectively. The vector {hg, ht^ g) with g G Bn,m, hg G Bm, 
and ht G Bm is a simultaneous decomposition of s and t if 

fg = hgog 
ft = htog 
hold. 
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Obviously, the equality hg = ht would imply the funetional equivalenee of 
signal lines s and t. 

Theorem 6.1 If{hs,ht,g) is a simultaneous functional decomposition of s 
and t, then s and t are functionally equivalent ifhg = ht- 

For illustration, look at the eircuits shown in Figure 6.1 [83] whieh we have 
already used in Chapter 5 (see page 101). It shows a simultaneous functional 
decomposition of signal lines i and j. As shown, the assignments to signal 




Figure 6.1. Illustration of the decomposition based approach of Berman and Trevillyan. 



lines i and j are described hy hi o g and hj o g with g G .63^2 defined by 
g{xi,X2,X3) = {xi,X2 ■ X3) 

and hi,hj G 82 - The signal lines i and j are functionally equivalent since 
hi = hj. 

Unfortunately, given a simultaneous functional decomposition of two signal 
lines s and t, the functional equivalence of signal line s and signal line t does not 
imply that hg and ht are equal, in general. As example, look at the simultaneous 
decomposition given by 

g : {0,1}^ ^ {0,1}^ defined by 5((xi,X2) = (xi,xi -X2), 
hg : {0, 1}^ ^ {0, 1} defined by hg{v, w) = v + w, 

and 

ht : {0, 1}^ ^ {0, 1} defined by ht{v, w) = v. 

Obviously, 

V(xi, X 2 ) G {0, 1}^ : {hg o g){xi,X2) = xi = {ht o p)(xi, X 2 ) 



holds, allhough hg ht- 
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As mentioned in [9], the reason for this limitation of the method is inherent 
in the approach. Since the first step is to identify (internal) equivalences and 
then proceed with an equivalence check treating these internal equivalences as 
independent additional inputs, the method may fail to recognize that certain 
circuits are identical. This failure to recognize equivalences is called /aZ^e 
negative, in literature. 

2. Partitioning the problem into a set of smaller and 
simpler equivalence checking problems 

The decomposition based approach just described can be applied iteratively [9]. 
Let AA be a miter with primary inputs xi, . . . , Xn- Now assume that there is a 
pair (s, t) of functionally equivalent signal lines. Such a pair of functionally 
equivalent signal lines is referred to as outpoint [77]. The idea of the approach 
is to cut the circuit at the outpoint as illustrated in Figure 6.2a and Figure 6.2b. 
That is, the circuit is cut at this position and the outpoint is taken as additional 
primary input. 

It is easy to see that the signal lines s and t of the circuit shown in Figure 
6.2a are functionally equivalent. Both signal lines realize the Boolean function 
described by x\ ■ X 2 - Thus, they can be merged. After the insertion of outpoint 
yi = (s, t) the new circuit A/j/i which is shown in Figure 6.2b realizes a Boolean 
function (/>(A/’yJ G Bn+i which depends on xi, . . . , Xn, and yi. Variable yi is 
associated with the Boolean function fg G Bn, i-e., the Boolean function which 
defines fhe behavior of signal line s subject to the primary inputs x±, , Xn- 
In this context, we denote this Boolean function by Xyi ■ 

Now, look once again at the circuit in Figure 6.2b. Now, the behavior of signal 
line u is defined by 

fu = yi + X3 

and the behavior of signal line v is defined by 

fv = {{yi ■ Xs)' ■ yi)' 

= {yi ■ xs) + yi 

= X3 + yi'. 

Thus, signal lines u and v are functionally equivalent and can be taken as further 
outpoint y 2 . Figure 6.2c shows the resulting circuit J^{yi,y 2 }- 
If k outpoints y\, ... ,yk (we assume that the outpoints are topologically or- 
dered from the primary inputs to the primary output of the miter) are in- 
serted, circuit realizes a Boolean function 4>{-^{yi,...,yk}) ^ ^n+k 

over x \, . . . , Xn, y\, . . . ,yk- Each variable yj is associated with its function 
Xyj G Bn+j-i over the variables xi, . . . ,Xn,yi, . ■ . , yj-i- 
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Figure 6.2a. Initial Boolean Network 




Figure 6.2b. Cutting the miter at outpoint (s,l). After insertion of the outpoint, the miter 
depends on * 1 , 0 : 2 , * 3 , and yi. 



If the primary output of A/{y^ is not satisfiable, then the eircuits under 
comparison are functionally equivalent. If is satisfiable, we have to 

check whether there is a false negative. 



Let us come back to the example above. Circuit in Figure 6.2c is 

described by 



Xyi ^1 * d'2 ; 

Xv2 = yi + 
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Figure 6.2c. Inserting outpoints (s, t) and (u, v) into miter A/” of Figure 6.2a 



and 

fq = {y2-{x3-{xi +X2))')' ®{y2-{x3-{x3-yiy)') 

= (2/2' + (X3 • {xi + X2'))) © {y2 + (2:3 • {X3 ■ yi)')) 

= {V2 + ( 2:3 • {xi + X2))) © (y2 + ( 2:3 • (x 3 + yi))) 

= {y2 + [xi ■ X3) + {X2 ■ X3)) © (1/2' + (X3 ■ yi')). 

Unfortunately, the primary output q of is satisfiable since fq which de- 

pends on xi , X2 , X3 , t/i , and t/2 is obviously different from the constant Boolean 
function 0. Just assign the values 1, 1, 1, 0, and 1 to the variables xi, X2, X3, yi, 
and y2, respectively. Thus, we have to check whether there is a false negative. 
And indeed, there is a false negative since resubstitution of variable yi by Xyi 
results in 

(/ <l') yi=xi'X2 

= {{y2 + {xi ■ X3) + (X2' • X3)) © {yf + (x3 • 

= {y2 + {xi ■ X3) + (X2' • X3)) © {yf + (X3 • (xi • X2)')) 

= {y2 + {xi ■ X3) + {X2 ■ X3)) © (2/2' + (3:3 • {xi + X2O)) 

= {y2 + {xi ■ X3) + {X2 ■ X3)) © (2/2' + (xi' • X3) + (X2' • X3)) 

= 0. 

This proves that the two circuits under consideration are functionally equivalent. 
The false negative has been generated by the fact that in the initial miter shown 
in Figure 6.2a the signal lines s and f are 1 whenever xi = X2 = 1 holds, i.e., 
the assignment 1, 1, and 0 to the primary inputs xi, X2, and 221, respectively, is 
not a consistent assignment. 
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Note that the approach can be extended to outpoints with complemented func- 
tions. That is, the pair of signal lines s and f is a cutpoint if either /« = ft 
or fs = ft holds. With this extension, the miter of Figure 6.2a where ft = 
fs = fr and fu = fv hold can be decomposed as shown in Figure 6.3. Here, 




Figure 6.3. Using cutpoints with complemented functions 



equivalence of the two circuits being compared can directly be shown because 
of 

fq = {V2 ■ {X3 ■ ysOY ® (y2 • {X3 ' {xs ‘ Vs)')')' 

= {y 2 + {X 3 ■ yf)) © {yf + (X 3 • (X 3 • y3)')) 

= {y2 + {x3 ■ ysO) © {y2 + {x3 ■ {xf + ^ 3 '))) 

= {y 2 + {x3 ■ ys)) ® {y 2 + {x3 ■ ys)) 

= 0 . 



Basically, the overall procedure for cutpoint based equivalence checking con- 
sists of two phases, namely 

■ detection and selection of cutpoints, and 

■ false negative resolution in case of mismatch. 

Resubstitution of cutpoints y* by their functions Xyt as shown in the example 
on page 135 is used to solve the false negative resolution problem, in practice 
[9, 77] . However, the method is very sensitive to the order in which the cutpoints 
are resubstituted. As mentioned in [77] , a bad order might cause the elimination 
of all cutpoints including the ones which do not cause false negatives. A BDD 
based approach to false negative resolution which uses resubstitution can be 










Exploiting similarities 



137 



found in [77]. The false negative resolution problem can also be attacked by 
the approach of Gupta and Ashar [55] which is presented in Chapter 5 on page 
116. 

Since the first phase is applied within the context of another approach for 
equivalence checking as well (see Section 3), we separately handle it in Section 
4. 

3. Using internal equivalences to simplify large miters 

Outpoint based equivalence checkers have a big drawback, the false negatives. 
Whenever outpoint based equivalence checkers fail to recognize that the circuits 
under consideration are functionally identical, one has to check whether there is 
a false negative. As already mentioned the method of resubstitution of outpoints 
is very sensitive to the order in which the outpoints are resubstituted. A bad 
order might cause the elimination of all outpoints including the ones which do 
not cause false negatives. Furthermore, proving a faulty Boolean network to 
be faulty results in many resubstitutions in general, as no false negative can be 
found. 

False negatives are due to the fact that taking outpoints as additional primary 
inputs often oversimplifies the problem instance. A more natural approach is to 
use outpoints, i.e., functionally equivalent internal signal lines, to simplify the 
miter under consideration without loosing information as proposed by Brand 
[16]. 

Let us assume that the signal lines s and t of the miter in Figure 6.4 have been 
proven to be functionally equivalent. Then, the miter can be simplified by 
fransforming if as shown in fhe same figure: The gafe inpufs which are driven 
by signal line t are connecfed fo signal line s; gales which now are superfluous 
are deleled. Thus, after fhe Iransformalion fhe circuils being compared share 
fhe logic which drives signal line s and fhe reconvergences of fhe miler, i.e., 
fhe dislance belween fhe position where fhe signals diverge and fhe posilion 
where fhe signals converge, have usually been reduced. As explained in [16], 
fhe approach can be exlended lo signal lines s and t wilh fg = ft ■ In Ihis case, 
fhe complemenled signal line s can replace signal line t. 

Lei us illuslrale fhe iterative process proposed by [16] by an example (see 
Figures 6.5a-6.5e). The circuil under consideration has already been used in 
fhe seclion above. We consider fhe signal lines in a topological order. The firsl 
pair of ’’equivalenl” signal lines are signal lines j and p. Complemenling signal 
line j resulls in a signal which is funclionally equivalenl lo signal p. Thus, 
we can ’’replace signal p” by fhe complemented signal line j. The resulfing 
miler which is shown in Figure 6.5b is smaller lhan fhe inilial miler. Due to 
Ibis simplification of Ihe miter, il may be easier to find furlher (internal) signal 
equivalences in Ihe miter. 




138 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 




f 



Simplification of the miter 
by replacing signal line t 
by signal line s 
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Figure 6.4. Using internal equivalences to simplify large miters. 



For signal lines g and I, the equalities 

fi = U ■ k)' 

= U ■ U ■ xsY)' 

= U-if + xs'))' 

= U-xY)' 

= f + Xs 

= P + X3 

— fg 

hold. Thus, g and I are funetionally equivalent signal lines and signal line 
g can be replaced by signal line I (see Figure 6.5c). Analogously, it can be 
shown that signal lines h and m are functionally equivalent and signal line h 
can be replaced by signal line m. The resulting miter is shown in Figure 6.5d. 
Obviously, the signals i and n which drive the inputs of the EXOR-gate are 
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Figure 6.5a. Example illustrating the approach of Brand [16]: The initial circuit (which has 
been taken from [77, 78]). 




Figure 6.5b. Replacement of signal line p by the complemented signal line j. 




Figure 6.5c. Replacement of signal line g hy the complemented signal line 1. 
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Figure 6.5d. Continued example. 




Figure 6.5e. Continued example. 



functionally equivalent, now (see Figure 6.5e). Thus, the EXOR-gate always 
outputs 0 and the circuits being compared are functionally equivalent. 

Note that ATPG-based equivalence checkers as described in Chapter 5 are ef- 
ficient in general, if they are applied to circuits which contain either no recon- 
vergences or only few small reconvergences. Thus the simplification process 
just described can be aborted if most reconvergences are removed and the re- 
convergences which still exist are small enough. 

4. Finding internal equivalences 

Both the approach of Brand which has been presented in Section 3 and the 
approach of Section 2 need a preprocessing phase which computes outpoints. 
While all the outpoints detected can be used to simplify the miter in the approach 
of Brand, there is a dilemma for selecting the right number of outpoints in the 
other approach. Choosing too few outpoints results in an equivalence checking 
problem which is too complex and choosing too many increases the likelihood 
of false negatives and thus leads to an explosion of resubstitutions [77]. 

4.1 Detection of outpoints 

Let us begin with algorithms to detect outpoints. 

4.1.1 Filtering phase 

As proposed in [9] , in a first step candidates for outpoints are computed. Usually, 
this is done by random simulation, i.e., the miter is simulated for a small number 
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of random assignments to the primary inputs. These simulation runs produce 
a vector of values at each signal line s of the miter. This vector can be 
used as signature of signal line s. Whenever, neither iOg = cot nor LOg = 
hold, the pair (s, t) cannot be used as outpoint. Thus, this step gives us a list of 
pairs (s, t) of signal lines which are potential candidates for internal functional 
equivalences. The list is ordered in a breadth-first manner such that ’’earlier 
pairs” come first. Now, the pairs contained in this list are taken one after the 
other and the corresponding signal lines s and t are checked for functional 
equivalence. 



4.1.2 Naive approach 

A first idea to implement this check is either 

■ to compute the ROBDDs of fg and ft by symbolic simulation (see Chapter 
4 Section 1.1 on page 72) 

or 

■ to insert an EXOR-gate whose inputs are connected to s and t, respectively, 
and to ask whether the output of the EXOR-gate, which is treated as addi- 
tional primary output of the circuit, is not testable for stuck- at- 1 or stuck-at-0 
(see Chapter 5 Section 2.2 on page 122). If it is not testable for stuck-at-0 
then fg = ft. If it is not testable for stuck-at-1 then fg = ff. 

Eigure 6.6 illustrates the latter approach. 
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Figure 6.6. First idea for finding internal equivalences. 



The problem with both ideas is that they fail if the internal nodes of the circuit 
implementation are optimized with respect to local don’t cares so that the miter 
does not contain many functionally equivalent signal lines (cf. [16]). 
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4.1.3 Approach of Brand 

A more sophisticated approach has been proposed in [16]. Here, an EXOR- 
gate is inserted between the signal line t and all its immediate fanouts. The 
other input of the EXOR-gate is connected to signal line s. Eet us denote this 
transformed circuit by C. Eigure 6.7 shows the circuit C just described. 
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Figure 6.7. Circuit C obtained by inserting an EXOR-gate between the signal line t and its 
immediate fanouts and connecting the other input of the EXOR-gate to signal line s. 



Now, if the output of the EXOR-gate is not testable for stuck-at-0, then either 
signal lines s and t are functionally equivalent or the difference between both 
Boolean functions fs and ft cannot be propagated to the output of C. Thus, 
the following statement holds. 

Theorem 6.2 If the output of the EXOR-gate is not testable for stuck-at-0, 
then signal line t can be replaced by signal s inside the (initial) miter Mas 
shown in Figure 6.4 without changing the input/output behavior of the miter. 

Proof: As already mentioned, if the output of the EXOR-gate is not testable 
for stuck-at-0, then either signal lines s and t are functionally equivalent or the 
difference between both Boolean functions fs and ft cannot be propagated to 
the output of C. In the first case, signal line t can obviously be replaced by 
signal line s. In the latter case, we have to show that for each assignment to the 
primary inputs of the miter, the output of the miter does not change if signal 
line t is replaced by s. To prove it, let vector a be an assignment to the primary 
inputs of the miter such that /s(a) / /i(a). 

■ At first, let us assume that fsicf) = 0 and /t(a) = 1 hold. Then, the 
immediate fanouts of t are assigned to value 1 in the initial miter M and to 
value 0 in the simplified miter. However, this is the situation which occurred 
when we searched for a test for stuck-at-0 at the output of the EXOR-gate 
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inserted in circuit C : The output of the EXOR-gate has to be assigned value 
1 in the faultless circuit C and value 0 in the faulty circuit C. Since such 
a test does not exist, it cannot be detected at the output of the miter under 
input assignment a whether value 0 or value 1 is assigned to the immediate 
fanouts of t. 

■ Now, let us assume that /^(a) = 1 and ft{a) = 0 hold, i.e., the immediate 
fanouts of t are assigned to value 0 in the initial miter J\f and to value 1 in 
the simplified miter. Obviously, this situation is the same one as above. 



Similarly, if the output of the EXOR-gate inserted is not testable for stuck-at-1, 
then the complemented signal line s can replace signal line t. 

4.2 Selection of outpoints 

As already mentioned above, we have to select a proper subset of the detected 
outpoints when applying the decomposition based approach of Section 2, as 
there is a dilemma for selecting the right number of outpoints in the outpoint 
based approach. Choosing too few outpoints results in an equivalence checking 
problem which is too complex and choosing too many increases the likelihood 
of false negatives and thus to an explosion of resubstitutions [77]. 

Several heuristics have been proposed to attack this problem. We will mention 
some of them very briefly, in the following: 

■ Select a subset of mutually independent outpoints [98], whereby a signal 
line s is said to depend on signal line t if signal line t is contained in the 
transitive fanin of signal line s. This approach is justified by the observation 
that false negatives occur if mutually dependent outpoints are selected. 

■ Select outpoints with high fanout [140]. Selecting a cutpoint with a high 
fanout instead of selecting a cutpoint with low fanout induces that, after 
cutting the miter, more signal lines depend on the same (new) variable 
which makes false negatives more improbable. 

■ Select outpoints only if the amount of logic between two outpoints is not too 
small [140]. This rule is due to the fact that fine grained decompositions 
lead to an unnecessary large number of variables, which increases the run- 
ning time of the underlying algorithms, and run an increased risk of false 
negatives. 
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In this chapter we address the problem of Black Box Equivalence Checking, 
which occurs when the specification is known, but only parts of the imple- 
mentation are finished or known. For an example, see Figure 7.1a and Figure 
7.1b. The latter one shows a partial implementation of the specification given 
in Figure 7.1a. It contains two black boxes, BBi and BB 2 - Clearly, after a 
suitable implementation of the two black boxes the final implemenfafion fulfills 
ifs specificalion. 

Black Box Equivalence Checking enables fhe use of verificalion techniques in 
early sfages of fhe design. Design errors can be already defecfed when only a 
parfial implemenfafion is af hand - for example, due fo a disfribufion of fhe im- 
plemenfafion fask fo several groups of designers. Paris of fhe implemenfafion, 
which are nol yel finished, are combined info black boxes. If fhe implemenfafion 
differs from fhe specificalion for all possible subslilulions of fhe black boxes, a 
design error is found in fhe currenl parfial implemenfafion. To deled an error 
in fhe currenl partial implemenfafion if is necessary fo find an assignmenl fo fhe 
primary inpuls which produces erroneous values al fhe oulpuls independenlly 
from fhe final implemenfafion of fhe black boxes. 

Anolher applicalion of Black Box Equivalence Checking is fhe abslraclion from 
“difficull parls” of an implemenfafion, which would cause a large peak size 
in memory consumplion during fhe conslruclion of a canonical form for fhe 
implemenfafion. These “difficull parls” of fhe design can be pul info a black 
box and Black Box Equivalence Checking is performed. An exacl slalemenl 
aboul fhe correclness of fhe full implemenfafion is nol possible, bul if is still 
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Figure 7.1a. Specification and partial implementation: Specifying circuit 




gi S2 



Figure 7.1b. Partial implementation with two black boxes 

possible to find errors in the partial implementation given to the Black Box 
Equivalence Checker. 

Black Box Equivalence Checking can also be used to verify assumptions con- 
cerning the location of errors in implementations, which do not fulfill their 
specifications. If there is some assumption on the location of errors (produced 
by an automatic error diagnosis tool or found by hand), then these regions of the 
design are cut off and put into black boxes. If Black Box Equivalence Checking 
gives the information that no error can be found in the design containing black 
boxes, we can conclude that the assumptions on the error location were correct, 
otherwise we know that there must be errors also in other regions of the design. 



In this chapter, we present algorithms for equivalence checking of partial imple- 
mentations under the assumption that a combinational circuit is given as spec- 
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ification and all implementations and black boxes are of combinational nature. 
We present a thorough analysis of the problem leading to several algorithms to 
attack the Black Box Equivalence Checking problem. These algorithms need 
different amounts of resources in terms of space and time and differ from their 
accurateness. They range from a simple algorithm using symbolic simulation 
for an approximation of the solution to an exact solution of the problem. Ap- 
proximate solutions are not able to find all errors in the partial implementation, 
but they are correct in the sense that they do not report an error if there is still a 
possibility to implement the black boxes leading to a correct overall implemen- 
tation. However, if we solve the Black Box Equivalence Checking problem 
approximatively, the information, that no error can be found, can be due to 
the approximative character of the approach and does not necessarily imply 
that there is an implementation of the black boxes leading to a correct overall 
implementation. That is, when Black Box Equivalence Checking is used to 
verify assumptions on the location of design errors, it cannot be guaranteed 
that the information, that no error can be found, implies that the error location 
is confined fo fhe black boxes. 

We sfarf wifh a simple symbolic simulafion wifh respecf fo fhe 0, 1, X logic. 
Then we successively increase fhe exacfness (and fhe complexify) of fhe algo- 
rifhm leading fo a local check, an output exact check and an input exact check. 
In parficular, an exacf criferion fo decide for a given parfial implemenfafion wifh 
one black box and a specificalion whefher fhe parfial implemenfafion is correcf 
or nof is given. Unlike fhe approaches presenfed in [54] and [67], if is guaran- 
feed fhaf fhere is really an exfension of fhe parfial implemenfafion fo a correcf 
complefe implemenfafion, if fhe criferion which is proven in Secfion 2.3.1 on 
page 161 reporfs no error (and of course, vice versa, fhere is no exfension of 
fhe parfial implemenfafion fo a complefe implemenfafion, if if does reporf an 
error). Several experimenfs have been performed which show fhaf improving 
fhe accuracy of fhe algorifhms indeed leads fo a significanl improvemenf of fhe 
error defecfion capabilifies (paid wifh an increase of compufafional resources). 
They can be found in [130]. 

In fhe following, we assume fhaf fhe circuif under considerafion has n inpuf 
signal lines, x\, . . . , Xn- As a running example for fhe demonsfrafion of our 
algorifhms we will often use fhe specificalion given in Eigure 7.1a. 

1. Symbolic Z-simulation 

A firsf algorilhm for checking parfial implemenlalions is based on fhe usual 
{0,1, X} -simulafion, which is well-known in fhe area of lesling [1] (cf. Chapter 
5 Secfion 2.2.1). 

To simulale a parfial implemenfafion wifh n primary inpuls for an inpul veclor 
(ai, . . . , an) G {0, 1}*^ fhe unknown value X is assigned fo all oulpuls of fhe 
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black boxes. If all the inputs of a gate are assigned a value in {0, 1}, then the 
output of the gate is computed according to the gate function as usual. If some 
inputs of a gate are set to X, the output is equal to X if and only if there are 
two different replacements of the X values at the inputs by O’s and I’s, which 
lead to different outputs of the gate. For a two-input AND-gate, a two-input 
OR-gate, a two-input EXOR-g&te, and an inverter, this leads to the rules 
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Figure 7.2 shows the evaluation of the partial implementation of Figure 7.1b 
with respect to the input vector (1,0, 0,0, 0,0, 0,0). Note that the first output of 
the partial implementation is 1 independently of the functionality of the black 
boxes. 



too 0 0 0 0 0 




Jf 



Figure 7.2. Evaluation with respect to input vector (1, 0, 0, 0, 0, 0, 0, 0) 



We can take advantage of such a {0, 1, -simulation to detect errors in par- 
tial implementations. If the evaluation of the partial implementation results 
in a value (3 G {0, 1} for some output, this means that the output value is j3 
independently of the functionality of the black boxes. If on the other hand the 
specification produces (3' for the same input vector, then we have found an error 
in the partial implementation. Figure 7.3 shows such a situation. When this 
partial implementation is compared to the specification of Figure 7. la by apply- 
ing input vector (1, 0, 0, 0, 0, 0, 0, 0), we see that the first output of the (partial) 
implementation is 0 whereas it is 1 for the specification. Generalizing the usual 
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Figure 7.3. Partial implementation with a detectable error 



notion of a distinguishing vector for designs without black boxes to designs 
containing black boxes we can say that (1, 0, 0, 0, 0, 0, 0, 0) is a distinguish- 
ing vector for the specification in Figure 7.1a and the partial implementation 
in Figure 7.3. Of course, only vectors which produce 0 or 1 (i.e., which do 
not produce X) at outputs of the partial implementation can play a role as 
distinguishing vectors. 

Since it is not possible to simulate specification and implementation for all 2” 
input vectors one after the other to find distinguishing vectors, a more sophis- 
ticated method has to be applied. For this, consider an output i of the partial 
implementation and the Boolean function gi G Bn+i with n -|- 1 Boolean vari- 
ables xi, ... ,Xn, and Z which is defined by Property I. 

Property I For each assignment a = (ai, . . . , an) G {0, 1}” of the 
primary inputs of the partial implementation, the iterated cofactor 

of Qi with respect to xi = ai, . . . ,Xn = is the constant Boolean 
function 0 or 1 if the {0, 1, X} -simulation assigns value 0 or value 1, 
respectively, to output i. It is the Boolean function Z G Bn+i defined 
by 

Z{xi, . . . ,Xn,Z) = Z 

if the {0, 1, X} -simulation assigns value X to output i. 

Thus, function gi ’’characterizes” the outputs of the {0, 1, X} -simulation runs 
applied to the partial implementation. Figure 7.4 and Figure 7.5 illustrate the 
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Figure 7.4. Illustration of symbolic Z-simulation 



X j X2 x^ x^ x^ 




Figure 7.5. Symbolic Z-simulation of an EXOR-gate whose input signal lines are driven by 
black boxes 



definition. We have tagged each signal line j of the circuit with the correspond- 
ing -function”. 

The computation of the ROBDDs of the gi’s is quite easy. It is performed by 
so called symbolic Z-simulation. Since all types of gates can be expressed 
using two-input AND-gates, two-input OR-gates, and inverters, let us assume 
without loss of generality that all our gates have types •, or NOT to explain 
the approach, in detail. Firstly, the primary input signal lines of the circuit 
are associated with unique ROBDD variables, xi, . . . , x„. All output signals 
of black boxes are associated with the new variable Z. Now, ROBDDs for 
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the functions computed by the gates of the circuit are built in topological order 
treating the black box outputs (associated with variable Z) as additional primary 
inputs of the circuit. The gates of the circuit can be processed in a manner similar 
to a conventional symbolic simulation which has been presented in Chapter 3 
Section 3.2.1: 

■ When an AND- or an OR-gate is processed, the ROBDDs P and Q of the 
two predecessor functions are combined by computing ITE{P,Q,0) or 
ITE{P, P, Q), respectively. 

■ For an inverter, the NOT operation on the ROBDD of the predecessor 
function has to be performed, followed by a substitution operation which 
composes Z' for Z. 

The fact that the final ROBDD obtained by this modified symbolic simulation 
represents Boolean function gi follows from the observation that the initial 
ROBDDs for the primary inputs and for the black box outputs fulfill Properfy 
1 and from fhe following fhree equalifies: 

1 . Lef p and q be fhe fwo funcfions compufed for fhe predecessor gafes of an 
AND-gafe. By inducfion, we can assume fhaf bofh fulfill Properfy 1. Thus, 
for each assignmenf (ai, . . . , a„) fo fhe Boolean variables x±, , Xn, the 
equation 

{P ■ Q)[xi,...,x„] = (ai,...,a„) 

— P[xi,...,Xn] = (ai,...,an) ■ Q[xi,...,Xn] = (ai,...,an) 

0? if P[xi,...,x„]=(ai,...,a„) — ^ Q[xi,...,Xn]=(ai,...,an) ~ 0 

_ ^ 1 > if P[a;i,...,x„]=(ai,...,a„) ~ 1 Q.[xi,...,Xn]=(ai,...,an) ~ 1 

■^’if {P[a;i,...,a;„]=(oi,...,o„)) ^[xi,...,x„] = («i,...,a„)} = 

, {P[xi,...,x„]=(ai,...,an)i 9[xi,...,x„] = (ai,...,On)} — 

holds. Thus, the Boolean function (p • a;„]=(ai equals function 

Z if and only if the corresponding {0, 1, A} -simulation assigns either value 
X to both input signal lines of the AND-gate or value X to one of the input 
signal lines and value 1 to the other one. That is, function p ■ q fulfills 
Properfy 1, foo. 

2 . Lef p and q be fhe fwo funcfions compufed for fhe predecessor gafes of an 
OR-gafe. By inducfion, we can assume fhaf bofh fulfill Properfy 1. Thus, 
for each assignmenf (ai, . . . , a„) fo fhe Boolean variables x±, ... , Xn, the 
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equation 

ip + 

~ Plxi,...,x„]=(ai,...,an) + Q[xi,...,Xn] = {ai,...,an) 

0? if P[a;i,...,x„]=(ai,...,a„) ~ 0 and Q[xi^...^Xn]=(oii,---,a„) ~ ^ 

_ ^ 1 ? if P[xi,...,x„]=(ai,...,a„) — 1 or 9[a;i,...,a;„]=(ai,...,o„) ~ 1 

if {P[a;i,...,a;„]=(oi,...,o„)) 9[xi ,...,x„] = (ai ~ {^} 

, {P[xi,...,Xn]=(ai,...,an): 9[xi,...,x„] = (ai,...,an)} ~ {0) -^} 

holds. Thus, function p + q fulfills Property 1, too. 

3. Let p be the function computed for the predecessor gate of an inverter. By 
induction, we can assume that it fulfills Properfy 1. Thus, for each assignmenf 
(«!, . . . , an) to the Boolean variables xi, . . . , Xn, the equation 

{{p )z=Z') [xi,...,x„] = {ai,...,an) 



((P )[xi,...,Xn] = {oil 


Z=Z' 




(^{P[xi,...,Xn] = {oil,.. 


) Z=Z' 




( 0 7 if P[a;i,... 


,x„]=(ai,...,an) — 


1 


< 1 , if 


,Xn] = {ai,...,an.) ~ 


0 


[ izy,ifp[x„... 


,x„]=(ai,...,a„) — 


z 


( 0 ) if P[xi,...,a:„] 


= (ai,...,a„) ~ f 




\ 1 ) if P[xi,...,x„] 


= {ai,...,a„) ~ 0 




1, ^7 if P[xi,...,x„] 


= (ai,...,«n) ~ ^ 





holds. 

After we have obtained functions gi for all outputs of the partial implementation 
by symbolic Z-simulation and functions fi for all outputs of the specification by 
a conventional symbolic simulation, the check whether there is a distinguishing 
vector between specification and implementation is based on the following two 
lemmas. 

Lemma 7. 1 There is no input vector (ai, . . . , a„) G {0, l}'^ with 

(5*)[xi,...,x„] = (ai,...,a„) = 1 and fiiai, ...,an)=0 
if and only if 

ii9i)z=0 ^ fi) ~ f- 
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Proof: Let us assume without loss of generality that variable Z is the last 
variable in the variable order of the ROBDD (without complemented edges) of 
Qi- As each cofactor of gi with respect to the primary input variables x\, . . . ,Xn 
is either 0, 1, or Z, all the nodes of the ROBDD of gi labelled with variable Z 
represent the Boolean function Z. Thus, for all vectors (ai, . . . , an) G {0, 1}” 
the implication 

holds. 

Now assume that 

{{9i)z=0 ^ /*) 7^ 1 

holds. That is, there is an assignment (ai, . . . , an) to the primary input vari- 
ables (xi, . . . , Xn) such that 

(5'i)z=o(“L . . . ,an) = 1 and fi{ai, ...,an) = 0 
which implies 

(9i)[x^,...,xn]={au...,an) = land/i(ai,...,a„) = 0. 

This finishes the proof of the if-part of the statement. 

Now suppose that 

{{9i)z=0 /*) = 1 

holds. Then we have to consider two cases for an arbitrary input vector 

(ai, . . . ,«n) G {0, 1}"^: 

■ If (9i) z=o(«R • • • , «n) = 0, then gi{ai, 0) = 0. Consequently, 

(5*)[x,,...,x„]=(ai,...,a„) /Iholds. 

■ If (5'*)z=o(«i> • • • , an) = 1, we can conclude /i(ai, . . . , On) = 1- 

This completes the proof. ■ 

Lemma 7.2 There is no input vector {a \, . . . , an) G {0, 1}” with 
(5t)[xi,...,x„]=(ai,...,a„) = 0 and fi{ai , . . . , a„) = 1 
if and only if 

{{hi )z=l ^ ~ I- 

Proof: The statement can be proved analogously to Lemma 7.1. ■ 
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2 . Symbolic Zi-simulation 

A disadvantage of symbolic Z-simulation lies in the fact that not all errors, 
which are present in a partial implementation, can be found by the procedure 
described above. 




gj 



g2 



Figure 7.6. Disadvantage of symbolic ^-simulation. 



Figure 7.6 shows an example for such a situation. The partial implementation 
shown does not fulfill the specification of Figure 7.1a, i.e., there is no imple- 
mentation for the black boxes which leads to a correct overall implementation. 
However the approach of the previous section always computes X at the output 
of the EXOR-gate, since both inputs of the EXOR gate are X (cf. Figure 7.5). 
That is, gi = xi + Z. Therefore, the first primary output is X, if x\ = 0, and 
1, if x\ = 1. Since the first output of the specification is 1 as well, if x\ = 1, 
no error can be detected at the first output. Moreover it is easy to see that the 
partial implementation of the second output is also correct (replace BB 2 by an 
077-gate). So the method of the previous section cannot detect an error in this 
partial implementation. 

If we have a closer look at the partial implementation, we can see, that the 
first output does not depend on the output of black box BB\ as the output 
of the EXOR-gnte whose inputs are connected to the output of BBi is 0 
independently of the output of 77 77i. The input vector (0, 0, 0, 1, 1, 0, 0, 0) leads 
to output (0, 1) which is different from the output (1,1) of the specification. 
The reason why the error could not be detected by symbolic Z-simulation lies 
in the fact that the values X at the inputs of the EXOR-gate are not accurately 
processed. The simple X-propagation does not take into account that the X- 
information comes from the same output of black box BBi (resulting in value 
0 at the output). 

To consider the origin of X-information it is not enough to introduce one vari- 
able Z for all black box outputs. Instead of that we have to introduce different 
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variables Zi for each black box output i. After the inputs of the circuit have 
been associated with unique BDD variables a conventional symbolic simulation 
is performed. That is, the ROBDDs of the Boolean functions realized by the 
circuit under consideration are computed as described in Chapter 3 Section 3.2 
on page 38. Now, the result for primary output j of the circuit is a function gj 
which depends on the primary input variables x±, ... ,Xn and the I variables 
Zi, ..., Zi for the I outputs of the black boxes. Once again, let us illustrate the 
approach with the circuit already used for the illustration of the Z-simulation 
procedure (see Figure 7.4). In Figure 7.7, we have tagged the signal lines with 
the Pi’s computed by the new approach, which is called Zi-simulation. 




Figure 7.7. Illustration of Zi-simulation 



Conventional symbolic simulation of the circuit shown in Figure 7.6 with output 
variables Z\ for BB\ and Z 2 for BB 2 , respectively, results in 

gi = 

for the first output, which proves that the partial implementation is faulty, and 

92 = {x% ■ (X4 • 2 : 5 )) + {xs • Z 2 ) 

for the second output. 

Now, let us go into details. 

2.1 Local check 

As in the case of Z-simulation we consider complete cofactors of implementa- 
tion and specification with respect to all primary input variables. Here we call a 
cofactor complete, if it is a cofactor with respect to all primary input variables. 
If a complete cofactor of some output function of the partial implementation is 
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0 ( 1 ), this means that the output value is 0 (1) independently of the functional- 
ity of the black boxes. If for the same output function of the specification this 
cofactor is 1 ( 0 ), then we have found an error in the partial implementation. 
The only difference of this method compared to Z-simulation is the fact that 
the effect of the unknown values at the outputs of blackboxes is evaluated more 
accurately. 

A check whether there is a distinguishing vector for a primary output j of the 
partial implementation and the specification can be done accordingly to the 
following lemma. It is called local check, since it is done for each output 
separately. 

Lemma 7.3 (local check) Let gj be the function of output j after sym- 
bolic Zi—simulation for apartial implementationwithprimary inputs x±, . . . ,Xn 
and I outputs of black boxes with corresponding variables Z\,. . . ,Zi. Let fj 
be output j of the specification. Then, there is no input vector (ai, . . . , a„) G 
{0,1}" with 

fe)[xi,...,x„] = (ai,...,a„) = 1 • • • , a„) = 0 

if and only if 

((VZi:(VZ2:(...(VZz:5,))))^/,) = 1 
and there is no input vector (ai, . . . , an) G {0, 1}" with 
fe)[xi,...,x„]=(ai,...,a„) = 0 and fj{au . . . , a„) = 1 
if and only if 

((VZi:(VZ2:(...(VZ,:5/))))^//) = 1 

Proof: We first prove the if-part of the first statement. 

Let us assume that 

((VZi:(VZ2:(...(VZ,: 5,))))^ /,)/!, 

i.e., there is an assignment (ai, . . . , a„) G {0, 1}" with 
((VZi : (VZ 2 : (. . . (VZ; : gj)))) ^ /,)(ai, . . . , a„) = 0 
which is equivalent to 

(VZi : (VZ 2 : (. . . (VZj : gj)))){ai, . . .,«„) = ! and fj{ai ,.. . ,«n) = 0. 

The equation (VZi : (VZ 2 : (. . . (VZ^ : 5 (j))))(ai, . . . , a„) = 1 implies that 
for all assignments (5i, . . . , 5^) to the variables Zi, . . . , Z; the equation 

gj{ai,...,an,Si,...,6i) = 1 
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holds. Thus, 

holds, too. This closes the proof of the if-part of the statement. 

Now, suppose that 

((VZi : (VZ 2 : (. . . (VZz : p,)))) ^ fj) = 1 

holds. Then we have to consider two cases for an arbitrary input vector 

(ai, . . . ,«n) e {0, 1}”: 

■ If (VZi : (VZ 2 : {...iyZi : gj)))){ai, . . . ,an) = 0, then there is an 
assignment ((5i, . . . , 61 ) to the variables Z±, . . . , Zi with 

gj{ai, . . . ,an, 6 i,. . . ,5i) = 0. 

This proves 

(9j)[xi,...,Xn] = {ai,...,an) 

- If (VZi : (VZ 2 : (. . . (VZ, : p, •))))(«!, ...,«„) = !, then 
fjicni, . . . , Oin) = 1 



can be concluded. 

Thus the first statement holds. Statement 2 can be proven in an analogous 
manner. ■ 

2.2 Output exact check 

The local check based on Zj-simulation is more exact than Z-simulation. 
However implications between different outputs are not taken into account. In 
order to obtain an even more accurate check, a more “global” viewpoint has to 
be used. Figure 7.8 illustrates the difficulty with the local check approach. For 
the first output the only possibility to fulfill fhe specificafion of Figure 7.1a is 
fo replace BBi by fhe function X 4 ■ x^. However, for fhe second oufpuf fhe 
only possibilify fo fulfill fhe specificafion is fo replace BB\ by (x 4 • x^)'. This 
implies fhaf fhe parfial implemenfafion of Figure 7.8 is incorrecf. In spife of 
fhaf, fhe error cannof be defecfed by fhe local check procedure, since if is done 
for each oufpuf separafely. 

To defecf errors of fhis fype we have fo compufe “local condifions” for each 
oufpuf, which guaranfee correcfness for fhe single oufpufs, and fhen, we have fo 
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Figure 7.8. Disadvantage of the local check procedure. 



combine the local conditions in order to check whether these local conditions 
can be fulfilled at the same time for all outputs. 

The local conditions are computed based on the following considerations: To 
obtain a correct implementation, for each primary output j and each assignment 
{a \ , . . . , On) to the primary inputs an assignment (5i , . . . , (5;) to the black box 
outputs has to be chosen such that 

■ ■ ■ 1 Cini ^ 1 : ■■■ 1 and fj (cri , • • • , ctn) 

are identical, i.e., 

{(9j)[xi,...,x„]={ai,...,ari) ('^1’ ■ ■ ■ i ^l) — 1- 

The relation between assignments (cri, . . . , to the primary inputs and as- 
signments (Ji , . . . , 5;) to the outputs of the black boxes, which are necessary to 
fulfill the specification, can be expressed by the characteristic function condj 
defined by 

^ • . . . • x"") • {gj ^ fj)[xi,...,x„]={ai,...,a.n) 

with = Xi, xj = Xi, and ^ denoting the iterated logical-or operator. The 
characteristic function condj equals 1 for argument {a\, . . . , (5i, . . . , 5i), 

if and only if gj{a\, . . . , (5i, . . . , 5i) and fj{a\, . . . , a„) are identical, i.e., 

if and only if the assignment of ((5i, . . . , (5;) to the black box outputs leads to a 
correct output of the implementation for the given input (ai, . . . , a^). 
Applying the Boole-Shannon decomposition (see Chapter 2 Theorem 2.1) the 
expression for condj can be rewritten as 

condj = {gj fj). 
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Thus, condj can be computed using one ROBDD operation applied to the 
ROBDDs of Qj and fj . 

For a correct partial implementation all conditions cond \ , . . . , condm have to be 
true. If there is an input assignment (ai, . . . , an) such that for all assignments 
((5i, . . . , (5;) to theblack box outputs atleastonecondition condj is false, then the 
partial implementation cannot be used to obtain a correct final implementation. 
This leads us to a new, more accurate check, which we call output exact check 
procedure. 

Lemma 7.4 (output exact check) If 

m 

{3xi : {3xn : (VZi : . . . (VZ; : ^ {condj)' )))) = 1 

i=i 

then the partial implementation does not fulfill its specification. 

Proof: The proof directly follows from the considerations made above. ■ 



For illustration, consider the partial implementation of Figure 7.8 and the spec- 
ification of Figure 7.1a. For input (0, 0, 0, 1, 1, 0, 0, 0), output gi of the imple- 
mentation equals output /i of the specification only if the black box output is 
1 for this input. This implies 

condi{0, 0, 0, 1, 1,0, 0, 0, di) = 1 ^ = 1. 

However, for input (0, 0, 0, 1, 1, 0, 0, 0) output p 2 of the implementation equals 
output /2 only if the black box output is 0 for this input. This implies 

cond2{0, 0, 0, 1, 1,0, 0, 0, di) = 1 ^ di = 0. 

Thus, there is no assignment to di such that both condi{0, 0, 0, 1, 1,0, 0, 0, di) 
and cond 2 { 0 , 0, 0, 1, 1,0, 0, 0, di) are equal to 1. 

For the assignment (0, 0, 0, 1, 1, 0, 0, 0) to the primary inputs, it holds 

(VZi : {condi)' -|- {cond 2 )'){ 0 , 0, 0, 1, 1, 0, 0, 0) 

= ((condi)' + (cond 2 )')^^^j( 0 , 0, 0, 1, 1,0, 0, 0) 

• ((condi)' + (cond 2 )')^^^Q( 0 , 0, 0, 1, 1, 0, 0, 0) 

= 1-1 

= 1 . 

That is, the output exact check reports an error as 

(3xi : . . . {3xs ■ (VZi : {condi)' + {cond 2 )'))) = 1. 
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2.3 Input exact check 

The output exact check reports no error if and only if 

m 

(Vxi : . . . {\fxn : (3Zi : . . . {3Zi : condj )))) = 1, 

j=i 

i.e., if and only if for each assignment (ai, . . . , a„) to the primary inputs there 
exists an assignment (5i, . . . , 5^) to the black box outputs, such the conditions 
condj for all outputs j are true, which means that gj{ai, . . . ,an,di, . . . ,6i) 
and fj{ai , . . . , an) are identical for all 1 < j < m. Thus we can choose these 
values (5i , . . . , to define the function values of the black box outputs under 
input («!, . . . , an)- Thus, there is no error in the partial implementation, i.e., 
the black boxes can be replaced to obtain a correct final implemenfafion, if 
fhe oufpuf exacf check reporfs no error and we are allowed to use all primary 
inputs as inputs of the black boxes. However, fhis is nof a realisfic assumption. 
If we have fixed sefs of inpuf signals for fhe black boxes - acfually fhey may 
be differenf from all primary inpufs -, if is possible fhaf fhe oufpuf exacf check 
does nof find all errors. 

Figure 7.9 shows such a case. The parfial implemenfafion (for fhe specificafion 




gl g2 

Figure 7.9. Disadvantage of output exact check 



of Figure 7.1a) confains one black box BB\. If fhe black box is replaced by 
xs • (xe + xi), fhen implemenfafion and specificafion are equivalenf. If is easy 
fo prove fhaf a correcf implemenfafion for BB\ musf depend on inpuf x%. Jusf 
consider fhe assignmenf X4 = 0, X5 = 0, xq = 1, and xj = 1. For fhis 
assignmenf, oufpuf /2 of fhe specificafion shown in Figure 7.1a is 0 if and only 
if xg = 0. The oufpuf §2 of fhe parfial implemenfafion proposed in Figure 7.9 
is 0 under fhis inpuf assignmenf if and only if fhe oufpuf of fhe black box is 
0. Thus, in order fo obfain a correcf implemenfafion for black box BB\, under 
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the above assignment of the inputs X 4 , X 5 , x%, and xj, the output of blaek box 
BBi has to be 0 if and only if xs is 0. However, the inputs of black box BB\ 
are only xq and X 7 . Thus, there is no correct implementation for BBi. The 
partial implementation is incorrect. But the output exact check does not report 
an error as 

■ condi is a tautology and 

■ for all assignments of the primary inputs x\, . . . ,xs there is an assignment 
to the output of black box BBi, i.e., to Z\, such that cond,2 evaluates to 1. 

In the following, let us concentrate on defining a check which reflects this 
problem, too. We start with the special case that the partial implementation 
contains only one black box. 

Before going into details, we have to define some abbreviations to simplify the 
notations. 

■ Let F be a Boolean formula over X = {xi, . . . ,Xn}andlety = {yi, . . . ,yfc} 
be some subset of X. We abbreviate 



(3yi : . . . (3yfc : F)) and (Vyi : . . . (Vy^ : F)) 



by {BY : F) and (VF : F), respectively. 

■ The conjunction Ojli condj is abbreviated by cond. It can be interpreted 
as the characteristic function of a Boolean relation between assignments 
(«!, . . . , an) to the primary input variables and assignments ((5i, . . . , 61) to 
the outputs of the black boxes with 

cond{ai, . . . ,an,Si, . . . ,61) = 1 

if and only if (5i, . . . , 5;) is a legal assignment to the outputs of the black 
boxes for primary input vector {a\, . . . ,an), i-e., if and only if all out- 
put values of the partial implementation with (ai, . . . , an) assigned to the 
primary inputs and (<5i, . . . , (5;) assigned to the black box outputs are iden- 
tical to the corresponding output values of the specification for assignment 
CKn) to the primary inputs. 

2.3.1 Partial implementations with only one black box 

As mentioned, we first concentrate on partial implementations which contain 
only one black box, BBi. We have to take into account that the inputs of this 
black box can be internal signals of the partial implementation and that not all 
primary inputs are connected to the inputs of BB\ . Let us assume that BB\ has 
q input signal lines i\, ... ,iq and p output signal lines oi, . . . , Op. We denote 
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the set of the input signal lines and output signal lines of BB\ by I and O, 
respectively. 

Now, consider the Boolean function which computes the assignments of the 
black box inputs. There are q such functions h\, . . . ,hq. They only depend 
on primary input variables of X. The characteristic function of the Boolean 
relation for h\, ... ,hq is computed by 

Q 

H{xi, ...,XnCl,...,iq) = hk{xi, . . .,Xn)). 

k=l 

To simplify the notation, we use the shortened form 

q 

H{X,I) = Hiik^hkiX)). 

k=l 

in the following. 

Based on the Boolean relation cond defined above, which is a Boolean relation 
between primary input assignments and output assignments of black box BB\, 
we compute the characteristic function of a Boolean relation between input 
assignments and output assignments of blackbox BB\. Formally, this Boolean 
relation which we call COND is defined as 

COND{I, O) = {yX : H'{X, I) + cond{X, O)). 

COND{e, 5) computes 1 for an assignment e = (ei, . . . , e^) to the inputs of 
black box BBi and an assignment (5 = (i5i , . . . , 5p) to the outputs of black box 
BBi if and only if for all assignments a = (ai, . . . , an) to the primary inputs 

■ a and e lead to a signal assignment, which is not consistent with the circuit 
of the partial implementation - this is checked by term H\X, I) 

or 

■ 5 is a legal output of black box BB\ under input a, i.e., a and b result in 
correct values at the primary outputs of the partial implementation. This is 
checked by term cond{X, O). 

That is, for COND{e, (5) to be 1, vector 6 has to be a legal output of black box 
under input a whenever a and e lead to a signal assignment, which is consistent 
with the circuit of the partial implementation. 

Now, the following theorem, which gives us a necessary and sufficient condition 
for the correctness of partial implementations with exactly one black box, can 
be proven. 
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Theorem 7.1 (one black box input exact check) 

There is a replacement of black box BBi by a completely specified Boolean 
function with input variables I leading to a correct overall implementation if 
and only if 

(VI : (30 : COND{I,0))) = 1 
holds. 

Proof: Firstly, let us assume that 
(VI : (30 : COND{I,0))) = 1 

holds, i.e., for all e G { 0 , 1 }'^ there is at least one veetor S G { 0 , 1 }^ such that 
COND{e, 5) = 1. Let (5^ be any such vector which is related with e. 

Now, consider bbi G Bq^p defined by 
Ve G {0, 1}^ : 661 (e) = 5e- 

We prove that a replacement of black box BB\ by 661 leads to an overall 
circuit which fulfills the specification. Assume that this is false, i.e., there 
is an assignment a to the input variables for which the output of the partial 
implementation after replacement of black box BBi is incorrect. Let e G 
{0, 1}”? be the input vector and 6 G {0, 1}^ the output vector of black box BB\ 
(actually replaced by bbi), which is obtained by simulation, when vector a is 
applied to the inputs of the implementation. Then, we can argue as follows: 

■ Since the output is incorrect, cond{a, 6 ) = 0 holds. 

■ Since 661 (e) = S, i.e., 6 = Se, COND{e, <5) = 1 holds by the definition of 
661 . 

■ Since COND{e, 6) = 1 and cond{a,6) = 0, we can conclude by the 
definition of COND that H{a,e) = 0 which states that a and e is an 
inconsistent assignment to the signals of the implementation. However, 
this contradicts the fact that e and 6 were determined by simulation of the 
implementation applied to the input vector a. 

This closes the proof that the replacement of black box BBi by bb± leads to an 
overall circuit which fulfills fhe specification. 

Now, let us prove the other direction. We assume that there is a replacement of 
BBihy a completely specified Boolean function bb± G Bq^p, which leads to a 
correct implementation. We have to prove that 

Ve G {0, 1}''36 G {0, ly : COND{e, 6) = 1. 
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Let e G {0, be fixed. We show that COND{e, S^) with <5^ := bbi{e) holds. 

Let a G {0, 1}*^ be an arbitrary assignment to the input variables of the imple- 
mentation. We have to eonsider two different eases. 

■ If cond{a, 6^) = 1, 

H'{a, e) -|- cond{a, 6^) = 1 

immediately follows. 

■ If cond{a, S^) = 0, then the output of the partial implementation with 
a assigned to the primary inputs and (5^ assigned to the outputs of blaek 
box BBi is not identieal to the corresponding output of the specification. 
As the replacement of BB\ by bbi has led to a correct implementation of 
the specification, the assignment e to the inputs of black box BBi is not 
generated by assigning a to the primary inputs, i.e., H{a,e) = 0 holds. 
Thus, 

H'{a, e) + cond{a, 6^) = 1 

holds in this case, too. 

Since a was chosen as an arbitrary assignment to the primary input variables, 
this shows that 

COND{e, 5e) = (VA : H'{X, e) + cond{X, <5J) 

= 1 



holds. ■ 

Note that, in general, the necessary and sufficient condition given in Theorem 
7.1 can be checked efficiently. 

2.3.2 Partial implementations with more than one hlack hox 

The condition given in Theorem 7.1 can be generalized to partial implemen- 
tations with more than one black box. However, the corresponding decision 
problem is NP-complete. For detailed information, we refer to [129, 130]. 
Here we confine the considerations to a straightforward generalization of the 
condition presented in Theorem 7.1 which results in a check for partial imple- 
mentations with more than one black box which is not exact, but at least as 
good as the output exact check. 

In the following, we assume that we have b black boxes BBi , . . . , BBi, which 
can have several outputs and inputs. The set of the input signals of BBj and 
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the set of the output signals of BBj are denoted by Ij and Oj, respectively. Let 
us assume that black box BBj has qj input signal lines and pj output signal 
lines. Furthermore, we assume that the black boxes are topologically ordered. 
Without loss of generality, assume that BB \, . . . , BB^ is a topological order 
of the black boxes, i.e., BB\ is the first black box with respect to this order. 

Now, consider the Boolean function which computes the assignments to the 
inputs of the black boxes. For black box BBj, there are qj such functions 
, . . . , hq. . Because of the topological order of the black boxes, they can 
depend at most on primary input variables of X and the output variables of 
Oi, . . . , Oj-i of BB \, . . . , BBj-i . We denote the characteristic function of 
the Boolean relation for . . . , by Hj{X, Oi, . . . , Oj-i, Ij)- 

Based on the Boolean relation cond{X, Oi, . . . , Of,), which is a Boolean re- 
lation between primary input assignments and legal output assignments of the 
black boxes BBi , . . . , BB^, we compute the characteristic function 

COND{h,...,h,Ou-..,Ob) 

of a Boolean relation between input assignments and output assignments of 
black box BB\ which is formally defined as 

(VX : h) + ... + Hb'iX, Oi, . . . , 06-1, L) cond{X, Oi, . . . , 06)). 



Now, fhe new check is given by 



(V/i : (30i : . . . (V/f, : (30f, : COND{h , . . . , If,, Oi, . . . , Of,))))) = 1 
and if can be proven fhaf fhe check is af leasf as good as fhe oufpuf exacf check 
Theorem 7.2 

(VIi : (30i : ... (V/f, : (30f, : COND{h , . . . , If,, Oi, . . . , Of,))))) 

^ (VX : (30i : . . . (30f, : cond{X, Oi, . . . , Of,)))) 



Proof: Assume fhaf 

(V/i : (30i : ... (V/f, : (30f, : COND{h , . . . , If,, Oi, . . . , Of,))))) = 1 

holds. Obviously, fhis assumpfion is equivalenf fo fhe sfafemenf, fhaf fhere are 
Boolean funcfions foi , ■ ■ ■ , foh with 

/o, 

such that 



(V/ : (VX : 00(X, /i, . . . , If,, fo, (A), • • • , fo,{h, • • • , 4)))) = 1 
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with I = Ii U . . . U /fe and 

CC{X,h,...,h,Oi,...,Ob) 

= Hi\X, /i) + . . . + Hb\X, Oi, . . . , Oi-i,h) + cond{X, Oi,...,Oi). 

In order to prove that for an arbitrary vector a G {0, 1}” there exist vectors 
(5^^) G {0, , • • • , G {0, 1}'?*' such that 

cond{a, , 6^^^) = 1 

holds, we make use of the topological order of the black boxes. We apply 
a to the primary inputs of the partial implementation. This way, we obtain 
an input assignment G {0,1}'^! of black box with = 1. 

Applying a to the primary inputs and /oi(e^^^) to the outputs of black box 
BB\ we obtain an input assignment G {0, 1}® of black box BB 2 with 
H 2 {oi, /oi(e^), = 1- Continuing this procedure we obtain . . . , 

with 

Vj G {1,...,6} : iTj(a,/oi(e^),...,/o^_i(e(^\...,e(^“^)),e(^)) = 1. 
Using our assumption, we have to conclude that 
cond{a, /oi ),..., /o^ )) = 1 

and since vector a was arbitrarily chosen 

(VA : (30i : . . . {30b ■ cond{X, Oi, . . . , Ofe)))). 
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Notes 

1 The results of this chapter have been presented in [129] and [130]. The 
adaption of these papers for the book was done in close cooperation with 
Paul Molitor. 




Chapter 8 



PERMUTATION INDEPENDENT 
BOOLEAN COMPARISON 



A problem that occurs in equivalence checking of combinational circuits is that 
most verifiers use syntactical name matching to determine corresponding input 
variables and corresponding output variables. This is one of the most important 
reasons for false negative results. During synthesis huge hierarchical designs 
lead to long hierarchical names for signal lines. Since most backend tools have 
severe restrictions on name lengths, the names are shortened accordingly. In 
particular, if VHDL generics are involved, then the names may be changed such 
that not even a human is able to establish this correspondence without a detailed 
analysis of the design [118]. On the other hand, looking at equivalence check- 
ing methods it is obvious that things are much easier when the correspondence 
between the primary inputs and the primary outputs of the two circuits which 
have to be compared has been known. For example, before applying equiva- 
lence checking methods based on canonical representations it is even necessary 
to restore this correspondence since ROBDDs und *BMDs are canonical forms 
for a fixed variable order only. 

Esfablishing fhe correspondence befween fhe oufpufs is nol a problem if fhe 
correspondence befween fhe inpufs has already been resfored. Jusf sorf fhe 
decision diagram pointers of fhe single-oufpuf Boolean functions of fhe specifi- 
cation and fhe decision diagram poinfers of fhe single-oufpuf Boolean functions 
of fhe synfhesized circuif wifh respecf fo fhe same fixed variable order and com- 
pare fhe fwo lisfs. Thus, only fhe correspondence befween fhe inpuf variables 
has fo be esfablished before checking equivalence. 

This correspondence problem, which is called permutation independent Boolean 
comparison problem, is a particular Boolean matching problem. Usually, 
Boolean mafching is applied fo library binding and fackles fhe problem of 
recognizing whefher a porfion of a mulfiple-level logic circuif can be imple- 
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merited by a cell of the cell library of a given technology [7]. This classification 
problem has already been investigated for a long time. Following the work of 
Dertouzos [39] and Lechner [87] it has been shown that spectral methods yield 
powerful classification techniques for functions. While this theory is fasci- 
nating, its implementation seems to be impractical for verification problems 
because of the exponential size of the matrices used by these methods. For 
more details on spectral techniques in logic design, we refer to the book of 
Hurst, Miller, and Muzio [65]. 

In contrast to library binding, the verification problem requires Boolean match- 
ing algorithms which are able to handle m-ary Boolean functions with a large 
number of input variables and need not to deal with the change of polarities, i.e., 
inversion of variables. Permutation independent Boolean comparison has been 
tackled by several researchers in the last few years. Mailhot and De Micheli 
[36, 91, 92] were the first to propose a method for library binding which is also 
applicable to permutation independent Boolean comparison and which was not 
a brute force method. In order to prune down equivalence checks, they used 
filters which compute properties of the input variables of the Boolean functions 
under comparison which represent necessary conditions for matching and which 
can easily be verified. In the case of completely specified Boolean functions, 
they take advantage of two facts to reduce the number of input permutations to 
be tested, namely that any permissible input permutation has to assign an unate 
(binate) variable (see Definition 8.4 on page 177) of the synthesized circuit to 
an unate (binate) variable of the specification and that interchangeable inputs 
of the synthesized circuit have to be interchangeable in the specification as 
well. The first condition implies that the Boolean functions which have to be 
compared must have the same number of unate (and binate) variables to have 
a match. The second condition implies that the synthesized circuit has to have 
a maximal set of pairwise interchangeable variables of size k whenever the 
specification contains such a maximal set of pairwise interchangeable variables 
of size k. This idea of filters has been extended, for example by Mohnke et 
al. [105, 106], Wang et.al. [143, 144], and Lai et al. [85]. They are called 
signatures in the following. 

A signature is a description of an input variable which is independent of the 
permutation of the inputs of a Boolean function /. So, it can be used to identify 
this variable independent of permutation, i.e., any possible correspondence 
between the input variables of two functions is restricted to a correspondence 
between variables with the same signature. So, if each variable of a function / 
had a unique signature, then there would be at most one possible correspondence 
to the variables of any other function. That is why the quality of any signature 
is characterized by its ability to be a unique identification of a variable and, 
of course, by its ability to be computed fast. The signatures that have been 
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introduced in literature differ in terms of quality. Nevertheless, in general this 
concept is a promising one and successful in a large number of practical cases. 
However, this method is not complete. There is no signature which can uniquely 
identify all the variables of the investigated benchmark sets. On comparing the 
most successful signatures, it can be observed that those benchmarks which have 
variables that cannot be uniquely identified have been always the same using 
different signatures. In other words, there is a nearly constant set of benchmarks 
for which signatures cannot help to solve the permutation problem. Unfortu- 
nately, not just 2 or 3 variables of those benchmarks are not uniquely identified, 
buf abouf 15 and more, so fhaf fhe number of possible correspondences is still 
large [27, 106, 108]. Furfhermore, Ibis seems fo be independenf of fhe mefhod 
used fo solve fhaf problem. In [1 19], a folally differenl mefhod for permufafion 
independenf Boolean comparison which does nol apply signafures has been 
used. However, even here, fhe same group of benchmarks causes problems 
[120]. Anofher observation is fhaf fhose benchmarks wifh non-uniquely iden- 
lified variables are nol fhe benchmarks wifh fhe mosl number of inpuls. So, 
from a slalislical poinl of view, if can be conjeclured fhaf fhe qualify of fhe used 
signafures is nol fhe problem. There is no relalionship belween fhe number 
of inpul variables of a funclion and fhe abilily of fhe signafures fo distinguish 
belween all Ihese inpuls. This is due fo fhe facl fhaf fhe variables fhaf cannol 
be distinguished by signafures have special properlies fhaf make if impossi- 
ble fo dislinguish belween fhem: fhe Boolean funclion under consideralion is 
’’symmelric” in Ihese variables. 

Now lei us go into delails. 

1. The problem 

The permutation independent Boolean comparison problem is defined as fol- 
lows: Given Iwo m-ary Boolean functions / = (/i , . . . , fm) C Bn,m and 
g = {gi, . . . , Pm) G Bn,m- Find a permulalion of Ihe variables of / and a 
permulalion of Ihe single-oulpul Boolean functions fi, fm of f such lhal 
/ becomes equivalenl to g. More formally. 

Definition 8.1 (permutation independent comparison) 

Given two m-ary Boolean functions f,gC Bn,m over Xn, the permutation in- 
dependent Boolean comparison problem is the problem of finding a permutation 
f G 'Per(Nn) and a permutation p G 'Per(Nm) such that 

^fpU) ° f) = 9j 

holds for T G Ver{{0, 1}"') defined by 

t{x \ , . . . , Xn) ) ■ • • ) (n) ) • 

The m-ary Boolean functions f and g are said to be permutation equivalent or 
isomorphic if such permutations f and p exist. 
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Note that r which is a permutation of induces a permutation r G Ver{Xn) 
defined by 

G Xrfl . T^Xj^ 

and vice versa. For the sake of simplicity, we use f , r, and r interchangeably 
and use the notation r for each of the three functions, in the following, r and 
p are called input permutation and output permutation, respectively. 

The corresponding decision problem as to whether two Boolean functions are 
isomorphic is called isomorphism problem in computation theory [138]. If 
Boolean formulae are given for the two Boolean functions, the isomorphism 
problem is known to be NP-hard. The complexity of the isomorphism problem 
for ROBDDs is still unknown, even for single-output Boolean functions. On 
the one hand, no polynomial algorithm solving this problem is known. On the 
other hand, the problem has not been proven to be NP-hard. The only fact 
known about the problem is that it is in NP and that it is not NP-hard unless the 
polynomial hierarchy collapses [139]. 

The following sections follow [105, 108, 109]. 

2. Signatures 

The best way to tackle the permutation independent Boolean comparison prob- 
lem is to use signatures. We distinguish between signatures for inputs and 
signatures for outputs. In the following, let U be some ordered set. 

Definition 8.2 (input signature) Afunction 

Sin : ( U {xi, ...,Xn}^U 

mSN 

is an input signature function if and only if the equation 

Siniflj • • • ) /rrt) Sin^f p(]y ® T, . . . , /p(m) O T, X^py ) 

holds for all m G N, for all single-output Boolean functions fi, ■ ■ ■ , fm C Bn, 
for all input permutations t, and for all output permutations p. We call the 
value Sinif, Xi) with / = (/i, . . . , fm) a signature of variable Xi with respect 
to the m-ary Boolean function f. Sn denotes the set of input signature functions 
with domain (UmeN-Sn,™) x {a^i, • • . , Xn}, in the following. 

Definition 8.3 (output signature) Afunction Sout : Bn ^ U is 
called output signature function if and only if the equation 

Soutifj) = Soutifj o r) 

holds for all single-output Boolean functions fj G Bn and for all input permu- 
tations T. 
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As already mentioned, the correspondence between the outputs of the specifica- 
tion and the outputs of the synthesized circuit can be efficiently established if the 
correspondence between the input variables is already reconstructed. Thus, at a 
first glance, using output signatures does not help to solve our correspondence 
problem. However, knowledge about some output correspondences makes the 
input correspondence problem easier to solve since input signatures with re- 
spect to identified oufpufs can be used for resforing fhe correspondence befween 
fhe inpuf variables. We will illusfrale Ibis sfafemenf af fhe end of Ibis section. 

To illusfrale fhe Iwo definitions lei us look al an example. Lei 

/ = {fi, f2, h, fi) c 



and 

9 = (51 ) 52, 53, 54) e ^3,4 

be Iwo 4-ary Boolean functions defined by 



/l(xi,X2,X3) 


= {Xl ■ X 2 ) + X3 


f2{xi,X2,X3) 


= X 2 ■ X3, 


f3{xi,X2,X3) 


= Xi ■ X3, 


h{xi,X2,X3) 


= X2 



and 



gi{xi,X 2 ,X 3 ) 


= XI-X 2 , 


92{xi,X2,X3) 


= (X3 • Xi) + X2 


93{xi,X2,X3) 


= X 3 ■ X 2 , 


gA{xi,X2,X3) 


= Xl. 



For Ihese Iwo 4-ary Boolean funclions if is easy lo prove lhal Ihey are isomor- 
phic. Take function r : {1, 2, 3} ^ {1, 2, 3} defined by 

r(l) = 3, r(2) = 1, and r(3) = 2 

as inpul permulalion and fhe funclion 

p:{l,2,3,4}^{l,2,3,4} 

defined by 



5(1) = 2, 
5(2) = 1, 



5(3) = 3, 
5(4) = 4 
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as output permutation. The equations 

{fp{l)°T){xi,X 2 ,X^) = /2(r(xi,X2,X3)) 

y2(^r(l) ? ^r(2) 5 ^r(3) ) 

= f2{x3,Xi,X2) 

= Xi- X 2 
= gi{xi,X2,X3), 

{fp( 2 )°x){xi,X 2 ,X 3 ) = g 2 {xi,X 2 ,X 3 ), 

ifp{3)°x){xi,X2,X3) = g3{xi,X2,X3), 

(/p(4) 0 't)(xi,X2,X3) = P4(X1,X2,X3) 

hold. Thus, for any input signature function S, the input signatures of X 2 , X 3 , 
and x\ with respect to / are equal to the input signatures of x\, X2, and X3, 
respectively, with respect to g. 

In order to illustrate the signature based approach for solving the input corre- 
spondence problem, let us consider two very simple signature functions, namely 
the input signature function in.dep and the output signature function out.dep. 
The input signature in.dep{f, Xi) of a variable Xi with respect to a m-ary 
Boolean function f = {fi, , fm) is the number of the single-output Boolean 
functions fj of / that essentially depend on Xi, i.e., 

in.dep{fi, . . . , fm, Xi) = \{fj : fj essentially depends on Xi}\. 

A Boolean function fj essentially depends on variable Xi if there exists an 
assignment (ai, . . . , a„) G {0, l}'^ of the variables of fj, such that 

fji^CXi, . . . , CTj—i , Og, Ckj+l . • • , Ctn) ^ f jib'll ■■■ 1 Oj , Q^i+l , ■ ■ ■ , ®n) 

holds. The output signature out-dep{fj) of a single-output Boolean function 
fj is the number of variables which the Boolean function fj depends on, i.e., 

out.dep(fj) = \{xi : fj essentially depends on Xj}|. 

Now, let us consider the two 4-ary Boolean functions / = (/i, /2 , /s, / 4) 
and g = (51, 52, Ps, 54) from above. The signature iri-dep{f,xi) of x\ with 
respect to / is 2 because only f\ and /3 essentially depend on variable x\. The 
signatures of X 2 and X 3 with respect to / are 3: 

in.dep{f,xi) = 2, 
in.dep{f,X2) = 3, 
in^dep{f, X3) = 3. 
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Computing the input signatures with respect to g results in 

in.dep{g,xi) = 3, 
in-dep{g,X2) = 3, 
in.dep{g,X3) = 2 . 

Thus, based on these input signatures, any input permutation r for which / 
and g are equivalent has to satisfy the equation r(l) = 3. However, we cannot 
distinguish between variable X2 and X3 of / yet, since they have the same input 
signature with respect to /. Thus, r(2) could either be 1 or 2. 

Now, apply the output signature out.dep to the Boolean functions /i, /2, /s, 
/4, gi, 92, 93, and 54. We obtain 

out.dep{fi) = 3, out.dep{gi) = 2, 

out-dep{f2) = 2, out-dep{g2) = 3, 

out.dep{fs) = 2, out.dep^gs) = 2, 

out-dep{f4) = 1, out-dep{g4,) = 1. 

Thus, any output permutation p for which / and g are equivalent has to satisfy 
the equations p{2) = 1 and p(4) = 4. Consequently, the Boolean function 
can correspond to the Boolean function 5^4 only and we can use input signatures 
with respect to /4 and g^, respectively, in order to restore the correspondence 
between the input variables not yet uniquely identified. These input signatures 
are given by 

in-dep{fi,X2) = 1 , in-dep{gi, xi) = 1 , 

in.dep{fi, X 3 ) = 0 , in-dep{gi, X 2 ) = 0 . 

With this, all input variables of / and g are uniquely identified. There is only 
one inpuf permufafion r for which fhe 4-ary Boolean functions / and g can be 
equivalenf. The inpuf permufafion r is defined by 

r(l) = 3, r(2) = 1, and r(3) = 2. 

In general, an inpuf signafure function S parfifions fhe sef of fhe variables 
of an m-ary Boolean function / = (/i, . . . , fm) C Sn,m info disjoinf subsefs 

X{S,f,u) = {xi : Xi e Xn and S{f,Xi) = u}. 

Lef 

^{S,f) = {{u,\X{S,f,u)\) : \X{SJ,u)\^0} 

be fhe sef fhaf characferizes fhe nonempfy subsefs. Then fhe following lemma 
holds. 
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Lemma 8.1 If f and g are isomorphic then S(5, /) is equal to S(5', g). 

The subsets X{S, f, u) whose sizes are greater than 1 play an important role in 
the following. Let us eall them aliasing groups. 

Lemma 8.2 For any m-ary Boolean function f, at most 

n \^isj,u)\\ 

udU, \X{S,f,u)\^0 

input permutations have to be applied to solve the permutation independent 
comparison problem for f and any other m-ary Boolean function g. 

Thus, the problem of permutation independent Boolean comparison with re- 
spect to combinational formal logic verification has been reduced to the problem 
of uniquely distinguishing the input variables of an m-ary Boolean function by 
applying input and output signature functions. In practice, it even is sufficient 
to reduce the number of aliasing groups to a few with sizes not larger than 
five to six variables each. In this case all remaining variable correspondences 
between the two functions / and g can be checked in moderate time. 

3. Examples of signatures 

In the following, we present input and output signature functions that can be 
used as filters during permutation independent Boolean comparison of m-ary 
Boolean functions. In particular, we deal with the ROBDD based computation 
of the proposed signatures. For this, let / be an m-ary Boolean function con- 
sisting of m single-output Boolean functions fi, ■ ■ ■ , fm C Bn represented by 
an ROBDD G. Remember that |G| denotes the size of the ROBDD G. 

3.1 Input signature functions 

3.1.1 Using the support of Boolean functions 

A first input signature function denoted by in.dep has already been presented 
in the last section. It computes the number of single-output Boolean functions 
of / that essentially depend on Xi, i.e., the size of the support of /. This data 
can efficiently be computed in time 0(n • |G|) by a bottom-up pass over G. 
For any node m of G with label Xi and successors tuo and w\, the support 
support{(j){w)) of 4i{w), which is the Boolean function represented by node w 
(see Definition 3.7 on page 32), is given by 

support{4>{w)) = ■support{4>{wo)) U support{f{w\)) U {xi}. 

After this bottom-up pass, the signature in_dep(/, Xi) can be computed by the 
formula 

in-dep{f,Xi) = \{fj : Xi G support{fj)]\. 
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3.1.2 Using the unateness of Boolean functions 

The next input signature function which has been proposed hy Mailhot and De 
Micheli [92] gives information about whether a variable is unate or binate. 

Definition 8.4 (un ate/bin ate variable) 

■ A variable Xi is positive unate with respect to f, if for all j G Nm the 
negative cofactor (/j)^.^g is smaller (see Definition 2.9 on page 15) than 
the positive cofactor {fj)^.^i- 

■ A variable Xi is negative unate with respect to f, if for all j G the 

positive cofactor is smaller than the negative cofactor (/j)^,^q. 

■ A variable Xi is binate with respect to f, if Xi is neither positive unate nor 
negative unate with respect to f. 

Formally, the input signature function unate can be defined by 

{ —1, if Xi is negative unate with respect to / 

1 , if Xi is positive unate with respect to / 

0, if Xi is binate with respect to /. 

This input signature function can be made more sophisticated by computing the 
number of single-output Boolean functions in which the variable Xi is positive 
unate and the number of single-output Boolean functions in which x* is negative 
unate, i.e., by using the input signature function 

U NATE : ( |J Bn,m) x {xi, . . . , Xn} ^ No X No 

mSN 

with 

UNATE(f,Xi) 

= (\{fj : Xi is positive unate with respect to fj}\, 

\{fj : Xi is negative unate with respect to fj}\ ). 

Checking whether a single-output Boolean function fj is positive unate or 
negative unate can be done by using the fact that the set Bn of the completely 
specified Boolean functions wifh n inpufs forms a partially ordered sef. Jusf 
generafefheROBDDs of fhe cofacfors and and check whefher 

ifj)xi=0 + (fj)xi=l ~ ifj)xi=l 

or 

(fj)xi=0 + (fj)xi=l ~ (fj)xi=0 

hold. This can be done in expecfed time 0(|Gp) (see Chapfer 3). Thus fhe 
compufafion of fhe signafure UN ATE(f,Xi) can be done in expecfed time 
0(m- |G|2). 
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3.1.3 Satisfy count signatures 

A further class of input signature functions can be obtained by considering 
the satisfy counts of some particular Boolean sub-functions hj G Bn of the 
single-output Boolean functions fj. 

Cofactor satisfy count signature. A very simple input signature function 
which is based on the satisfy count is the cofactor satisfy count, which has been 
independently introduced by different researchers [27, 85, 106]. They take the 
positive cofactor for the Boolean function hj from above. Formally, 

the cofactor satisfy count signature can be defined by 

Scofactor{,f : — {(^i ^k,Xi) ■ k G Nq and Tfly^ xi ^ 0} 

where is the number of single-output Boolean functions fj of the m- 

ary Boolean function / with \{fj)^.^^\=k. Thus, for all k G No, the cofactor 
satisfy count signature of variable Xi gives the number of single-output Boolean 
functions fj whose positive cofactor (fj)^,^^ has exactly k satisfying input 
assignments. 

For the computation of the satisfy counts of {fi)x =i, ■ ■ ■ , {fm)x =v 
use the same bottom-up algorithm as described in Chapter 3 Section 3.2.5 with 
the only difference that at nodes w labelled with X{ the low-edge must not be 
considered and the computation step has to be substituted by 

\(l){w)\ =2 - 

wi denoting the high-successor of node w. Thus, the computation only per- 
forms 0{\G\) operations (see Chapter 3 Section 3.2.5 on page 42). 

Considering the satisfy counts of the negative cofactors {fi)x =07 • • • > {fm)x=o 
does not provide new information about the input variables because of the 
property 

2 • \ fj\ = l(/i)a;.=ol + l(/i)a;i=ll- 

Existential abstraction satisfy count signature. Another input signature 
function which is based on the satisfy count uses the satisfy counts of the 
existential abstractions (3xj : /i), . . . , (3xj : fm) of Xi with respect to the 
single-output Boolean functions fi, . . . , fm [105, 106]. Formally, this input 
signature function is defined by 

S3{f,Xi) = {{k,pk,xi) : (c G No andpk,xi > 0}, 

where Pk,xi is the number of single-output Boolean functions fj of the m-ary 
Boolean function / with |(3xj : fj)\ = k. The computation of the existential 
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abstraction satisfy count signature of a variable Xi with respect to / is a little bit 
more expensive than the computation of the signature Scofactorifj Xi) because 
we have to construct the ROBDDs of (3xj : /i), . . . , (3xi : fm), which needs 
time 0{m ■ |Gp). 

Considering the satisfy counts of the universal abstractions (Vx^ : fi), , (Vxj : 
fm) or the satisfy counts of the Boolean differences dfijdxi, . . . , dfm/dxi 
does not provide new information about the input variables because of the two 
properties 

2 -Iff = |(3x.:/,)| + |(Vx*:/,)| 

and 

2 • \ fj\ = 2 • \{3xi : fj)\ - \dfj/dxi\. 

Breakup signatures. A further class of input signature functions which are 
based on satisfy count as well considers the Hamming distances between the 
satisfying input assignments and a permutation independent origin o. The 
idea is to break the satisfy count of a Boolean function over n variables into 
n + 1 special, permutation independent components. It has been proposed in 
[105, 106]. Let us explain the idea by first considering only one single-output 
function fj G Bn- We take the vector (0, . . . , 0) G {0, 1}” as permutation 
independent origin o. We are interested in the number of satisfying input 
assignments a G {0, 1}*^ of fj with Hamming distance d from the origin o. 
Formally, this can be defined by a funcfion 

'if : Bn ^ 

wifh 

and 

^ ' I 0, ofherwise. 

In practice fwo breakup signafure functions have been proven fo be useful: 

■ 'k((/j)^ which uses fhe cofaclor function of /j wifh respecf fo a variable 

Xi and 

■ 'k(3xi : fj) which uses fhe existential absfraclion of fj wifh respecf fo a 
variable x*. 

As an example, lef us consider funcfion 

/(Xl, X2, Xs) = (Xl • X2) + (x/ • X3) 
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and its input variable x\. Figure 8.1 shows a cube representation for the positive 
cofactor function fxi=i which is X 2 - Black dots indicate vertices where the 
cofactor function is equal to 1 , white dots indicate the vertices where the cofactor 
function is equal to 0. With origin o = (0, 0, 0) the vertices can be separated 
in four different, permutation independent levels as you can see in the figure. 
The dth level indicates the dth component in the breakup signature which is 
the number of black dots with distance d from the origin. This information 
is permutation independent since the origin o is permutation independent, the 
distance is permutation independent because it groups together all vertices with 
a constant number of variables equal to 1 independently of the order of these 
variables themselves, and the counting step itself is permutation independent 
because just the number of black dots in a level is of interest, not their places 
in this cube level. 

The generalization of this idea to m-ary functions / = (/i, . . . , /m) is quite 
easy. It works with the same principle as before. For any k,d C No, compute 
the numbers of single-output Boolean functions of / whose positive cofac- 
tors (existential abstractions) with respect to Xi have exactly k satisfying input 
assignments with Hamming distance d from the origin o. Formally, the two 





Permutation Independent Boolean Comparison 



181 



breakup signature functions can be defined by 



nbreakup / p 
^ CO f actor 



{(/u, d, Qk,d,Xi) • d E: Nq ^nd Qk^d^Xi ^ 0} 



where Qk^d,xi is the number of single-output Boolean funetions fj of the m-ary 
Boolean function / with = k and 



^breakup 

^3 



if, Xi) 



{{k, d, rk^^xi) ■ k,de No and rk,d,xi > 0} 



where rk^d,xi is the number of single-output Boolean functions fj of the m-ary 
Boolean function / with 'k(3xi : fjY = k. The computation of these two 
signatures of a variable Xi performs 0(|G| • n) and 0(\G\‘^ ■ n) operations, 
respectively. 



Cross signature. Schlichtmann, Brglez, and Schneider [127] proposed to use 
not only the satisfy counts of (j = 1 ,. . . , m) but also the satisfy counts 

of 

to uniquely identify variable Xj. More formally, the signature 5cr(/i, ■ ■ ■ , fm^Xi) 
of variable Xj with respect to /i , . . . , is given by the m ordered lists L{fj , Xj ) 
of the satisfy counts 

l(/j )[a;i,a;i]=(l,0)l’ ' ‘ ’ I ) [a;i,a:„] = (l,0) I 

for y = 1, . . . , m. The lexicographically ordered list T(/i, . . . , /m, Xj) of 
the vectors L(/i, x* L(/m, x*) is obviously a permutation independent 
information about variable x*. A generalization of this cross signature function 
has been presented by Wang, Hwang, and Chen [144]. 

3.1.4 Function signatures 

Function signatures of input variables with respect to an m-ary Boolean function 
/ = (/i, . . . , fm) are not values or vector of values, but particular Boolean 
functions or vectors of Boolean functions. These signatures can be applied 
when some input variables have already been uniquely identified. The idea is 
to use sub-functions of the single-output Boolean functions /i , . . . , which 
only depend on input variables which have already been uniquely identified. 
Assume that the variables Xk+i, • . • , x„ have been uniquely identified. Then, 
the two Boolean functions 

and 

^■tj\xi,...,Xi-i,Xi,Xi^l,...,Xk] = {0,...,0,l,0,---,0) ° Xcan 
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provide permutation independent information about the input variable Xi if Tcan 
is an input permutation that constructs a unique order of the uniquely identified 
input variables Xk+i, ■ ■ ■ , Xn- 

3.2 Output signature functions 

Since output signature functions are based on input signature functions in most 
cases, we touch on this problem very briefly. 

3.2.1 Using the support of a Boolean function 

A first output signature function denoted by out-dep has already been proposed. 
It computes the number of variables which a single-output Boolean function 
fj essentially depends on. The computation of this data can be done by depth- 
first-search on the ROBDD G f. . This process can be stopped when all n input 
variables have been encountered. 

3.2.2 Satisfy count output signatures 

Satisfy count output signatures can be directly developed by applying input 
signature functions as introduced in Section 3.1.3. The most important are 

■ the satisfy count \fj\, 

■ the ordered vector of the cofactor satisfy counts | \, . . . 

■ the breakup signature with respect to fj . 

3.2.3 Structure of symmetry sets 

A more sophisticated output signature can be obtained by computing the max- 
imal sets of pairwise interchangeable input variables of fj . 

Definition 8.5 (symmetric boolean function) 

A single-output Boolean function fj £ Bn is symmetric in the input variables 
Xi and Xk (i < k) if and only if 

fj (ui , . . . , CXi , . . . , Otl^ , . . . , CX-n^ fj (ui , . . . , CXJ^ , . . . , CXi , . . . , CXn^ 

holds for all a £ {0, 1}”. Xi and Xk are called pair of symmetric variables. 

It is well known that symmetry as defined in Definition 8.5 leads to an equiv- 
alence relation on the set Xn of the input variables of fj. The equivalence 
classes are the maximal subsets of pairwise interchangeable input variables. 
Obviously, 

Ssymmifj) — • fc £ N and tk 0}, 

where tk is the number of equivalence classes of size k, is a permutation inde- 
pendent information about fj and represents an output signature function. 
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To compute the equivalence classes, we use the fact that a single-output Boolean 
function fj is symmetric in x* and Xj if and only if 

holds. In a preprocessing step, we use filters to detect as many asymmetries as 
possible to prune the number of symmetry checks because each symmetry check 
has to construct ROBDDs for the cofactor functions, which is time consuming. 
Some of these filters use input signature functions. The idea behind it is that 
a single-output Boolean function fj is not symmetric in the input variables x* 
and Xj if Xj and Xj do not have the same input signature. We will discuss this 
statement in the next section. More details on efficient computation of maximal 
sets of pairwise interchangeable input variables can be found in [110, 132]. 

4. Limits of signatures 

The main problem that arises in this paradigm is when different variables of 
a function / have the same signature, so that it is not possible to distinguish 
between these variables, i.e., there is no unique correspondence that can be 
established with the inputs of any other function. A group of such variables 
is called an aliasing group. Suppose there is just one aliasing group of inputs 
of a function / after applying certain signatures. If the size of this group is k, 
then there are still kl correspondence possibilities to test between the inputs of 
/ and the inputs of any other function g, in general (cf. Lemma 8.2). However, 
in certain special cases, aliasing is not dramatic. For instance, assume that the 
Boolean function under consideration is invariant under the permutation of the 
input variables xq , . . . , Xi-, i.e., / is symmetric in the variables {xj^ , . . . , Xj^ }, 
then any order of Xj^ , . . . , Xi- is fine for the purpose to test permutation equiv- 
alence although xq , . . . , Xi. are contained in the same aliasing group. Thus, 
whenever we know that / is symmetric in j variables of an aliasing group, the 
number of correspondences which have to be tested by Lemma 8.2 decreases 
by factor j! . 

What can we say about the practical experiences with using signatures? When 
considering the benchmarks of the LGSynth91 [89] and the ESPRESSO bench- 
mark set [18], approximately 92% of all benchmarks have a unique correspon- 
dence for their inputs, i.e., all their variables can be uniquely identified as- 
suming that symmetric variables (as defined in Definition 8.5) are used during 
the identification process as just explained. Eor the 8% of benchmarks with 
aliasing, the number of possibilities for correspondence among inputs ranges 
from 4 to approximately 10^^ after applying all signatures [105]. Considering 
the complete set of benchmarks, we can make the observation that there is no 
relationship between the number of input variables of a function and the ability 
of the signatures to distinguish between all these inputs. The problem seems 
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to be that there are special properties that make it impossible to distinguish 
between those variables via signatures. Since signatures work well for about 
92% of the benchmarks, there is no reason to reject the signature approach. 
What we need is a moderate solution for the other 8% as well. For circuits with 
just a few correspondence possibilities, the obvious solution of enumerating 
all possibilities works well. But what about the other circuits - for those, we 
cannot be satisfied with existing solutions. A further understanding of these 
cases is the focus of the remaining sections of this chapter. At first, we discuss 
a property of input variables which makes it impossible to distinguish between 
variables with aliasing with the help of signatures. This property has to do 
with symmetry — it is the so called ^-symmetry. We introduce t/-symmetry 
and explain why ^-symmetry avoids a unique identification of input variables 
with the help of signatures. To be able to explain the concepts more clearly we 
restrict our considerations to Boolean functions f C Bn with one output only, 
^-symmetry can be defined as follows: 

Definition 8.6 (^-symmetry) Consider a subgroup Q C Ver{Xn) of 
permutations of the variables {xi, . . . ,Xn}- A Boolean function f £ Bn is 
Q— symmetric if f keeps invariant under all input permutations r in Q, i.e., 

Vt gG : f or = f. 

^-symmetry was defined similar by Hotz in 1974 [63]. The simples! example 
for ^-symmetry is a Boolean function / that is symmetric in all input variables. 
Here, Q is equal to the permutation group Ver{Xn), and we say, / is Ver{Xn) - 
symmetric. 

By definition, the group G may also be the group which contains the identity 
1 only. So we can consider those Boolean functions with no ^-symmetry as 
functions that are t/-symmetric with respect to the set ^ = {!}. 

In the following, let G{f) G Ver{Xn) be the set of all the input permutations 
under which the Boolean function / keeps invariant. Then, we can formulate 
the following properties: 

Lemma 8.3 For each function f G Bn, set G{f) forms a group. 

Proof: Let r, ri,r 2 G G{f). We need to prove that G G{f) and 

Ti o T 2 G G{f) hold. Both statements follow by 

foT~^ = (/or)or“^ 

= /o(tot“^) 

= / 



and 
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/o(riOT2) = (/ori)oT2 
= f 0T2 
= /■ 

In other words, both the input permutation t~ ^ and the input permutation t\ o t 2 
keep the funetion / invariant, thus G G{f) and ri o t 2 G Q{f) hold. ■ 

In order to understand the significance of ^-symmetry for the permutation 
equivalence problem, let us consider the relation Rg on the set of input variables, 
Xn = [xi,X2, ■ ■ ■ ,Xn], which is defined by a group of permufafions Q C 
Ver{Xn)- Formally, relation Rg is defined by 

y Xi,Xj G Xn : XiRgXj 3r e G ■ r{xi) = xj. 

Lemma 8.4 The relation Rg is an equivalence relation. 

Proof: This follows immediafely from fhe properfy fhaf ^ is a group. ■ 

Lef us denofe wifh A = {A\,A 2 , . . . , AjT] fhe sef of equivalence classes wifh 
respecf fo Rg which partitions fhe inpuf variables of X^. 

Lemma 8.5 For each Boolean function f £ Bn and its set of input vari- 
ables Xn, the partition A of the input variables of f which corresponds to the 
equivalence relation Rg(j) is well-defined. 

Oflen if is enough fo consider fhis parfifion A as an unordered sef of subsefs of 
fhe inpufs. However, sometimes we have fo look af if as an ordered sef. 

Lemma 8.6 Given a Boolean function f £ Bn and the well-defined partition 
A = {Ai, A 2 , . . . , Ak} of its input variables, there is a well-defined and or- 
dered partition A^ = [A^, A 2 , ■ . . , vl{] of the input variables with respect to 
f which is constructed as follows: 

1 A^ considered as unordered set of subsets is equal to partition A. 

2 The ordering step works as follows: 

(a) Order the subsets by their size, such that \A(\ < \A{j^f\for all i £'Ak. 

(b) If some subsets have the same size, then use the elements of them to 
establish an ordering, such that j < I holds if 

■ i4i = iT+ii. 

• j = min{/i : Xh £ A{}, and 

■ I = mm{h : Xh £ 
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Proof: The partition contains the same elements as the original partition 
A. So it is well-defined as an unordered set of subsets. Furthermore, the 
ordering process is well-defined. Sfep 2a orders those subsets uniquely that 
have different sizes. Step 2b orders the subsets with the same size uniquely. 
Note, that this second step depends on the order of the input variables of the 
function /. In other words, the order of the subsets in partition A^ is just unique 
with respect to the Boolean function / which has been considered. ■ 

Now we consider signatures again. What can we say about the relationship 
between signatures and ^-symmetry? There are two properties that complete 
our picture about signatures. The first property is very important and can be 
formulated without further considerations. 

Theorem 8.1 Let Q C Ver(Xn) be the group of permutations of Xn which 
constructs partition A. Consider any element Ai of A, any Q— symmetric 
Boolean function f, and any signature function s G Sn- Then, for any 
Xi,Xj G Ai the equation s{f, xf) = s(/, Xj) holds. 

Proof: ^ For all Xi, Xj G Ai there is a permutation t C Q such that r(f) = j. 
Consider any Xi,Xj G Ai, a permutation t C Q such that r(f) = j, and any 
signature function s. Because of Definition 8.2, the equation 

s{f,Xi) = s{foT,T{Xi)) 

holds. Since / is ^-symmetric, we have 
s{foT,T{Xi)) = s{f,T{Xi)). 

Together with the previous equation this results in 

s{f,Xi) = s{f,Xj). 



This result now gives us a possible explanation for the trouble several bench- 
marks have with the signature approach. It is possible that the benchmarks with 
aliasing include ^-symmetric functions. Then there is no unique description 
by signatures for the input variables of these functions. Thus, it is futile to try to 
distinguish all the variables with additional signatures. But, what do we do in 
this case? Our response to this is that we do not really need to uniquely identify 
the variables in most cases. We can achieve our end goal of establishing permu- 
tation independent function equivalence by identifying the variables involved 
in the ^-symmetry and exploring the exact nature of the ^-symmetry. This is 
further explored in the next sections. Before we discuss it, let us develop the 
second property of signatures with respect to ^-symmetry. For this, we need 
to think about a universal signature function. 
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Definition 8.7 (universal signature) A universal signature function 
u : Bn X Xn — > U is a signature function which has the following property: 
Given a Boolean function f £ Bn, the partition A = {A\, A 2 , ■ ■ ■ , A^} of its 
input variables which is induced by Q -symmetry, and two variables Xi , Xj £ Xn, 
then the implication 

Xi £ Ai,Xj £ Ah with I A h u{f, Xi) 7 ^ u(/, Xj) 

holds. 

If two input variables Xi and Xj are not in the same subset of partition Al of a 
Boolean function / G Bn, then the universal signature function has to provide 
different signatures for these two variables. Such a universal signature function 
has the property to dominate any other signature function s £ Sn- 

Lemma 8.7 

V/ G BnXXi, Xj £ Xn . 

{3s £ Sn : s{f, Xi) A s{f, Xj)) => (r(/, Xi) / u{f, Xj )) . 

In other words, if there is any signature function which can distinguish between 
two input variables of a Boolean function, then the universal signatures of these 
two variables has to be able to distinguish between them as well. 

Proof: The property of Lemma 8.7 can be easily proved. If two input 

variables Xi and Xj of a Boolean function f £ Bn have different signatures for 
any signature function s £ Sn, then there does not exist an input permutation 
r G G{f) with r(z) = j. Thus, variables Xi and Xj have to be in different 
subsets of the partition A of the input variables of /. Because of Definition 8.7, 
the universal signature of these two variables has to be different as well. ■ 

In this sense, we can say that a universal signature function is the strongest 
signature function which can be constructed. 

To close up the investigations let us prove that universal input signature func- 
tions really exist. 

Theorem 8.2 There is a universal signature function U : Bn x Xn — > U. 

Proof: At first we construct a candidate for a universal signature function. 
Then we show, that this candidate is a signature function and that it is universal. 

1 Construction: 

Let us consider a Boolean function / G Bn- From Lemma 8.5, it follows 
that there is a well-defined parfifion A of fhe inpuf variables of funclion / 




188 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



which corresponds to the equivalence relation of T^g(f)- Let A be given by 
A = {Ai, A 2 , ■ . . , Ak] 

= , xjj, {xj, {4, . . . , xfj}. 

Now, we select the lexicographical smallest (see Definition 2.10 on page 
15) of all functions that can be constructed by permuting the input variables 
of/: 

/min = min{g e Bn : g = f o t with r G Ver{Xn)}- 

This function, /min is a permutation independent information on / and has 
a unique partition A of its input variables as well. 

What do we know about the relationship between function / and function 
/min and the partition of their input variables? We know that 

/min — f ° X 

for an input permutation f G Ver{Xn)- In other words, these two functions 
are permutation equivalent. From this fact, it follows that the partition A 
has the same structure as partition A\ 

A = {Ai, A 2 , ■ ■ . , Ak} 

= {{2/1, • • • , 2/«\}, {2/?, • • • , 2/z^J, • • • , { y \, • • • , 2/fj}- 

Furthermore, there is a one-to-one mapping <h : A — > A which maps 
the classes of partition A to the classes of partition A. depends on the 
input permutation f which we use to construct /min- Let us have a look at 
mapping 

Let a G ^(/) be a permutation which keeps / invariant. Then, the equation 

/min o (r“^ o CIO f) = {f ot)o{t~^ oaof) 

= / o (f o r“^) o (cr o f) 

= 

= if °(^)oT 
= for 

— /min 

holds, i.e., the permutation f~^ o a o t keeps /min invariant and 
(r“^ oaof) e Gifrain)- 
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Furthermore, for any variable Xj, the equation 

(r“^ o (T o f)(r“^(xj)) = (f“^ o cj o f o 

= (f“^ o cj o (f o f“^))(xj) 

= T-^{a{xj)) 

holds as well. Note that Xj and (j{xj) are contained in the same class Ai of 
partition A because a G Q{f)- The above equation states that f~^{xj) and 
T~^{a{xj)) are contained in the same class with respect to partition A as 
well, because (r“^ o cr o f ) G G{fmm), and 

^>(yli) = T~^{Ai) 



holds for alH = 1, . . . , /c. 

Now, let us continue with the construction of a universal signature function. 
There is a well-defined and ordered partition of the input variables of /min: 







which is constructed by ordering the classes of partition A according to 
Lemma 8.6. With the help of this partition we construct our candidate U 
for a universal signature function by setting 

= j with G 

for any Xi G 
2 Proof of correctness: 

We prove that U is a universal signature function in three steps. 

(a) U is a well-defined mapping from Bn x info an ordered sef (C7, <). 
Proof: In order fo prove fhaf U is a well-defined mapping, we need 
fo consider fhe case fhaf fhere are more fhan one inpuf permufafions 
r G Ver{Xn) which consfrucf fhe lexicographical smallesf function 

/min = / O T. 

Suppose, fhere are fwo of fhose inpuf permufafions, t\ and T 2 . Then 
consider any inpuf variable Xi of function / and lef G ^ be fhe class 
of Xi wifh respecf fo /. Bofh permufafions and map A^ onfo 
classes Ap^"’^ and for some p and q, respectively, i.e., 

Tfi^{Ar) = and Tfi^{Ar) = 
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Thus, the input permutation T2 ^ o fi exchanges Ap™'" and 

OTl) ) ) 



— A /min 



Since the equation 

f = /min = f °^2 



holds, the input permutation 7^2 
invariant as well: 



-1 



' Ti keeps the Boolean function /„ 



fn 



o(f2^ori) = 



(/ o h) o {t2^ o fi) 

/ O (t2 O T2^) o fi 

f °h 



= fn 



Thus 




holds and U is well-defined. 

(b) U is a signature function. 

Proof: Let us consider the function /min- This function is information 
about the Boolean function / which is independent of any permuta- 
tion of the input variables of / since we use all r G Ver{Xn) for its 
construction. Also the partition is permutation independent in- 

formation for /. From this, it follows that the information we obtain 
for an input variable Xi using U is independent of any permutation of 
the inputs. 

(c) U is universal. 

Proof: Let us consider the mapping $ : A — > A again, which maps 
the classes of the partition of the inputs of function / to those of the 
partition of the inputs of function /min- From the construction of this 
mapping, it follows that if two input variables Xi and xj of function / are 
in different classes of partition A, then and f~^{xj) are in dif- 

ferent classes of the partition A of the lexicographical smallest function 
/min as well. Remember, the input permutation r is a permutation of 
the input variables of function /, which constructs the lexicographical 
smallest of all those functions /min = / ° /- 

Now, if we order A as proposed in Lemma 8.6, then we obtain the 
well-defined and ordered partition for the function /min> and it 
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follows for any Boolean function f £ Bn and for all input variables 

Xi , Xj G ■ 

Xi G Ai and Xj G with I / h 

G and x^-iq) G withp / q. 

which is equivalent to 

Xi G Ai and Xj G A^ with I / h 

l^{f,Xi)^U{f,Xj). 



The signature function U demonstrates the property of a universal signature 
function to dominate all other signature functions very well. The partition A, 
which is the basic component for the construction of U, is nothing else but the 
partition of the input variables which we try to construct with the help of our 
practical signatures. Now, if the universal signature for an input variable is the 
index of such a class of the partition, then one fact is obvious. If there is a 
practical signature which is different for two variables, then these two variables 
will be in two different classes of the partition. Thus, the universal signatures 
of these two variables will be different as well 

Why does it help to know that there is a universal signature function? It can- 
not be used in practice since its construction would be computationally too 
intensive. However, it is useful to have such a universal signature function 
for theoretical investigations. In [85], a method for analytically comparing the 
effectiveness of signature functions is introduced. Given a signature function 
s : Bn X Xn — > U, a measure p{s) of the effectiveness of s is the cardinality 
of the co-domain of s which is \U\. However, as we can see here, a small 
co-domain does not automatically imply that the signature function is not effi- 
cient. In the case of the universal signature function, the inequation ii{U) < n 
holds. However, as we have proven, the universal signature function is the most 
powerful signature function at all. 

Let us discuss now signatures in relationship to t/-symmetry. Because of 
Definition 8.7, if any two input variables of a Boolean function have the same 
signature with respect to the universal signature function, then there is a non- 
trivial permutation r G Ver{Xn) \ {1} of the input variables of this function, 
such that / = / o r. Since this permutation r of the input variables keeps the 
function / invariant, the function / is t/-symmetric with respect to a group Q 
of input permutations with Q / {1} and Theorem 8.3 holds. 
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Theorem 8.3 Let f C Bn and let A = {^i, A 2 , . . . , A^} be the partition 
of the input variables of f induced by Q -symmetry. Then 



~ixi,Xj e Xn : {U{f,Xi) =U{f,Xj)) 

(31 € {1, . . . ,k} ■ Xi, Xj € Ai) . 

Together with Theorem 8.1, the property of a universal signature ensures that 
we do not need to think about other problems with signatures identifying input 
variables for permutation independent function equivalence. Assuming the 
availability of efficient working signature functions, it demonstrates that G- 
symmetry is indeed the only handicap for signatures to be able to uniquely 
identify an input variable of a Boolean function independent of permutation. 
Thus, we now need to focus on ^-symmetries. 

5. Special kinds of ^-symmetries 

Specifically, we now discuss some special kinds of ^-symmefry which oflen 
appear in practice. Of course, fhis cannof be a complete enumeration of possible 
^-symmefries. These cases have been discovered in fhe quesf fo undersfand 
why signafures were proving fo be inadequafe for permufafion independenf 
Boolean comparison in some cases. 

5.1 Partial symmetries 

Af firsl, tel us consider fhe mosl common case. As already defined in Definilion 
8.5 on page 182, a Boolean function f C Bn symmetric in a subsel of inpul 
variables X C Xn if / is invarianl under all permulalions of fhe inpul variables 
in X. We say, lhal / is symmetric (or partial symmetric, in order fo be able fo 
differ belween Ibis special kind of ^-symmelry and olher kinds of ^-symmelry) 
in X. Furlhermore, fhe sel X is a maximal symmetry group (a maximal sel of 
symmelric variables) of / if / is symmelric in X, and Ihere is no variable 
Xi X such lhal / is symmelric in X U {xi} as well. This is Ihe simplesl 
kind of (/-symmelry, and il is well-known. In Ihe partition A of Ihe inpuls of 
a Boolean function / which is partial symmelric in X, all inpul variables of 
subsel X are in one subsel. 

Partial symmelries are easy lo delecl and lo handle. 

Theorem 8.4 A Boolean function f is partially symmetric in the variables 
Xi and Xj if and only if f[xi,xj]={i,o) f[xi,xj]=(o,i)- 

Wilh Ihe help of Ibis Iheorem we are able lo lesl partial symmelry, since Ihe 
correspondenl relation is an equivalence relation [1 10]. Furlhermore, differenl 
fasl melhods lo improve Ibis basic symmelry lesl have been developed. We use 
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the methods introduced in [1 10], while one of the methods introduced there is 
to use simple signatures. For more details, please see [110, 132]. 

After the detection of partial symmetries we are done with that special kind of 
^-symmetry, since each correspondence between symmetric variables of two 
Boolean functions is fine for the purpose to test permutation equivalence. Thus, 
one of the first steps of the identification process is to determine all maximal 
groups of pairwise symmetric variables. The advantage is that further signature 
computations can be restricted to one representative of each maximal symmetry 
group. We suggest to determine the maximal symmetry groups after applying 
the cofactor satisfy count signature function. Establishing a first variable par- 
tition by using this signature function is computationally not as intensive as 
applying the symmetry check to each pair of variables. Furthermore, we then 
have to apply the symmetry check to variables which are element of the same 
aliasing group only. By this, we combine methods of symmetry detection with 
the advantages of applying different signature functions. 

5.2 Hierarchical symmetries 

Investigations on our benchmark set have shown that for several examples the 
reason for the existence of aliasing groups after computation of all signatures 
functions is the following kind of symmetry. 

Definition 8.8 (hierarchical symmetry) Let f e Bn be a Boolean 
function with the input variables Xn = [xi, X2, • . . , x^] and let Y], 1^2 C Xn 
be two subsets of Xn- Y\andY2are hierarchical symmetric (h-symmetric) if 
and only if 

■ inl = l^2| > 1 

■ Y\ and Y2 are maximal symmetry groups of f. 

■ f is H (Yi , Y2)-symmetric, where H (Yi , Y2) is the subgroup of the permu- 
tation group Ver(Xn) generated by the set 

H{Yi,Y2) = {r G Ver{Xn)\ r(Fi) = Fs andT{Y2) = Fi} 

of input permutations, i.e., f keeps invariant under any exchanging of the 
variables ofY\ with those ofY2- 

A group of subsets {Fi, I2, • • • ; F^} of Xn is h-symmetric if and only if for all 
fj G Nfc Yi is h-symmetric to set Yj. 

For illustration, consider the Boolean function 

/ = (xi + X2)' + (X3 + X4)' + (X5 + Xe)'. 
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Here, {xi,X2}, {a;3,a;4}, and {x5,xq} are pairs of symmetric variables, but 
there is no partial symmetry between two variables of different pairs. However, 
it is easy to see, that exchanging any two of these three pairs keeps the function 
/ invariant. This simple example illustrates h-symmetry. 

Lemma 8.8 The h-symmetry relation is an equivalence relation on the parti- 
tion of the set of input variables of a Boolean function f in its maximal symmetry 
groups. 

Proof: The symmetry and reflexivity is obviously to see. For transitivity 
we have to show the following. Let Yi, Y2, and L3 be three disjoint sets of 
symmetric variables. If Yi is h-symmetric to Y2 and I2 is h-symmetric to Y^, 
then Yi and Y^ are h-symmetric as well. Therefore, let us go through all points 
of the definition of h-symmetry: 

- iPil = IP2I = iPgl > 1 

■ true by assumption 

■ We know, that exchanging Yi with Y2 as well as exchanging Y2 and Y3 does 
not change the function /. So, let us do the following. First, exchange the 
variables of Y\ with those of Y2. After that, exchange the variables of Y2 
with those of Y3. The resulting function is equal to / due to h-symmetry of 
Yi and Y2 and h-symmetry of Y2 and Y3. What we have done is to exchange 
the variables of Yi with those of Y3 using the variables of Y2. This implies 
that exchanging Yi with Y3 does not change function /. 



The definition of h-symmetry indicates that this is a special kind of ^-symmetry. 
Let us examine the partition A of the input variables constructed by h-symmetry. 

Theorem 8.5 If two subsets Yi and Y2 of input variables are h-symmetric 
then all input variables ofY\ and Y2 are in one element A* of partition A. 

Proof: This follows directly from the definition of partition A. ■ 

Thus, from Theorem 8 . 1 , we know that all of these variables have to have 
the same signature, i.e., they form an aliasing group. In other words, there is 
no way to distinguish between them via signatures. However, partly there is a 
solution for this problem in practice. It is based upon our handling of symmetric 
variables. To understand this, let us consider the algorithm to identify the input 
variables by signatures. Here, we first determine all maximal groups of pairwise 
symmetric variables (see previous section). In this way, pairwise symmetric 
variables are kept together in aliasing groups. Now, let us consider two h- 
symmetric subsets Y±, Y2 of input variables of function / which form an aliasing 
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group Yi U 12- A correspondence between these variables and the variables 
of an aliasing group Z of any other function g is possible if the variables of 
aliasing group Z have the same signature than the variables of Yi U I 2 and 
aliasing group Z has the same structure than aliasing group Yi LIY 2 . That is, 
there are maximal symmetry groups Zi and Z 2 with Z = Zi U Z 2 , | Zi | = \ Yi\, 
and 1 ^ 2 ! = I T 2 1 ■ Then there are two possible correspondences between these 
groups: 

(Fi ^ Zi,F2 ^ ^ 2 ) 
as well as 

{Y^ ^ Z2,Y2 ^ Zi). 

Because of h-symmetry both correspondences are acceptable for our purpose. 
In other words, the remaining task in terms of h-symmetry is to detect this kind 
of symmetry. This is sufficient to decide that no further work needs to be done 
with these aliasing groups in order to solve the permutation problem. 

So let us try and see what we have to do. At first, we answer the following ques- 
tion. Let / be a Boolean function with n input variables, = [x\,X 2 ,--- ,Xn], 

and Y\ and I 2 be two disjoint subsets of the set of inputs, i.e., Y\,Y 2 C Xn- 
When is it possible to exchange Yf and I 2 in the function / without changing / 
itself? An obvious necessary condition is that the number of variables in Y\ and 
Y 2 has to be the same. Otherwise one subset cannot be completely exchanged 
with the other. However, this is not sufficient. Supposing that | Yf | = 1 12 1 = fc, 
let us see what sufficient condition exists for the exchangeability of Y\ and Y 2 . 



Let Y 2 ]={aC'> 0 ( 2 )) be the cofactor of / where the variables of Y\ are set to 
G {0, 1}^ and the variables of Y 2 are set to G {0, 1}^. A sufficient 
condition is the following: 

Theorem 8.6 Exchanging two different, ordered subsets of variables, Y\ = 
. . . , x^j^'^] and Y 2 = [x^i \ • • • , i.e., exchanging with x^^'^ for 

all i G Nfc, does not change the function f if and only if for all assignments 
G {0, 1}^ the equation 

f[Yi,Y2]=(aW,aC^)) ~ f[Yi,Y2]=ia(‘^'>,aW) 

holds. 



Note that a well-known special case of this property is A: = 1, i.e., the question 
whether two variables Xi and Xj are exchangeable in a Boolean function / 
without changing /. We know that this kind of symmetry can be shown using 
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Theorem 8.4. In other words, Theorem 8.6 is a generalization of the well- 
known symmetry test for symmetric variables to a test for the exchangeability 
of groups of variables. 

However, since both, Yi and Y 2 are symmetry groups, it is much easier to 
test whether Yi and Y 2 can be exchanged without changing / than for the 
general case stated in Theorem 8.6. We know that / keeps invariant under 
all permutations of the variables in Yi {i G {1,2}). Furthermore, each vector 
a G {0,1}^ with exactly I one’s in it is a permutation of any other vector with 
I one’s in it. Thus, / is partial symmetric in Yi if and only if / depends on 
the number of one’s in the input assignment to Yi only [146]. We will call the 
number of one’s in an input assignment to a set Yi of variables the weight of 
that input assignment with respect to T). Thus, we can directly conclude the 
following two facts about the cofactors of / with respect to a set of symmetric 
variables. 

Lemma 8.9 Let Vi be the set of all assignments to the set Yi of symmetric 
variables with weight 1. Let G V). Then /y.=Q,(i) = fY^=atD holds. 

This gives us the number of different cofactors with respect to a set Yi of 
symmetric variables that can be constructed. 

Lemma 8.10 Consider the set of the cofactors of f that can be constructed 
with respect to the set Yi of symmetric variables. The cardinality of this set is 
bounded by \ Yi \ + 1. 

With Lemmas 8.9 and 8. 10 the test of Theorem 8.6 which checks whether Y\ and 
Y 2 are exchangeable without changing function / can efficiently be performed. 
We have to consider k + 1 assignments to Yi as well as to Y 2 , one of every 
possible weight. In other words, we do not have to test all combinations of the 
2^ assignments but only all combinations of the k + 1 possible weights. 

Theorem 8 . 7 Exchanging two different subsets Y\ and Y 2 of symmetric vari- 
ables does not change function f if and only if for all weights h,l 2 G {0, . . . , /c| 
with l\ I 2 the equation 

^ ViT2]=(C^f 

with = (1, . . . , 1, 0, . . . , 0) holds. 

w k—w 

Note, that we have to know that Y\ and Y 2 are sets of symmetric variables before 
using Theorem 8.7 for our purpose. 
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What about the weight combinations 0 / 0 ,l/l, . . . ,k/k 7 Obviously, we do not 
have to test these combinations, since an exchange of the two variable groups 
with these assignments does not change the function value of /. 

Suppose the symmetry of the variables of our two groups Yi and >2 is tested 
before, we obtain the moderate number of (A:^ + /c)/2 tests necessary to check 
the h-symmetry of Yi and Y2, namely k choices for the assignment to I2 in 
the first step, /c — 1 in the second, and so on. Dealing with ROBDDs we know 
that these tests need constant time on the given cofactors only. The cofactor 
construction itself needs time linear in the number of ROBDD nodes of /. So, 
in all, we need time 0 {k“^ ■ |F|) where |F| denotes the number of nodes in the 
ROBDD F of / and k the size of the two variable groups we want to test. 

Now we can start with a description of the complete algorithm to determine the 
h-symmetry groups of a Boolean function / G Bn- First, let us illustrate the 
algorithm by example. Again, let us consider the Boolean function 

/ = (xi + X2)' + (X 3 + X4)' + (X 5 + xe)' 

which is h-symmetric in {{xi,X2}, {xs,X4}, {xsjXe}}. This can be proved as 
follows: 

1. Consider the groups of symmetric variables. In the case of this example 
there are three groups with size 2, namely Yi = {xi, X2}, Y2 = {xs,X4}, 
and Fs = {x5,xe}. 

2. To prove the h-symmetry of these groups it is enough to check Yi with Y2 
and Y2 with Y3, because of Lemma 8.8. Three cofactor tests are necessary 
in both cases, namely for the weight combinations 0/1, 0/2, and 1/2. For Yi 
and Y2 these are 



/[a;i,a;2,a;3,a;4]=(0, 0,1,0) f[xi,X2,X3,X4]=(l, 0 , 0 , 0 ) 

/[a;i,a;2,a;3,a;4]=(0, 0,1,1) /[xi,X2,a;3,a;4]=(l, 1,0,0) 

/[a;i,a;2,a;3,a;4]=(l, 0,1,1) /[xi,X2,a;3,a;4]=(l, 1,1,0) (®5 T Xg) . 

Analogously, three cofactor tests have to be done to check the exchange- 
ability of Y2 and Y3. 

Now, let us come to our algorithm. Given a Boolean function / G we can 
determine the h-symmetries of the variables of / in two steps. 

■ In the first step the list of all candidates for h-symmetry is computed. A 
candidate for h-symmetry is a set of same-sized partial symmetry groups 
of variables of /, except those of size one. Note, that we construct maximal 
candidates only. So, there is no h-symmetry possible between different 
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candidates. In the above example, there is exactly one candidate, namely 
{{xi, X2}, {X3, X4}, {X5, Xe}}. 

■ In the second step we use Theorem 8.7 and Lemma 8.8 for each candidate 
to establish the h-symmetry groups. 

Step 2 of this approach has been described already on the above example. The 
generalization is straightforward. Note that a candidate for h-symmetry could 
include sets of input variables that belong to different h-symmetries. If this 
case has to be taken into account, then we need to test the exchangeability of 
each pair of variable sets in the candidate. 

Let us discuss Step 1. What is the best way to determine the list of candidates? 
One way is the following. First, compute all groups of partial symmetries of 
Xn with respect to function /, then sort these groups by their size. A candidate 
is the set of all symmetry groups with the same size, except the one including all 
groups of size one. However, this kind of selection of candidates is not the best 
- any cofactor test (and so any cofactor construction) that can be avoided is a 
bonus point with respect to CPU time and storage requirements. Nevertheless, 
we already know a better way for this. Theorem 8.1 tells us that the variables 
of any two partial symmetry groups have to have the same signature to be a 
candidate for h-symmetry. That is why the signature computation is an efficient 
pre-processing for the selection of candidates for h-symmetry. Only aliasing 
groups which consist of groups of symmetric variables are candidates. In this 
way we are likely to obtain a smaller set of candidates, such that we can avoid 
cofactor constructions. Thus to create the list of candidates for h-symmetry, 
we use all the signatures first. If there are aliasing groups, then we select those 
groups that consist of symmetric variable groups as candidates for h-symmetry. 

5.3 Group symmetries 

Now we change our focus to the following kind of symmetry. 

Definition 8.9 (group symmetry) Let f c Bn be a Boolean function 
with n input variables Xn = [xi, X 2 , • . . , Xn]. Let Yi, Y 2 , ■ ■ ■ ,Yk G Xn be 
non-empty and pairwise disjoint subsets of Xn with k > 1. The k groups of 
input variables are group symmetric (g— symmetric) if and only if 

1 \Yi\ > 1 for alii G N^. 

2 There are (non-trivial) permutations 

Tl, T 2 , . . . , Tk 

of the variables in 
Yi, F2, n, 
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respectively, such that applying the input permutations Ti to Yi simultane- 
ously for all i G Nfc does not change the function f. 

Note, that manipulating just one or a couple of variable subsets Yj may change 
the function /. The following example will help to clarify the definition. 
Consider the Boolean function 

/ = (ao • xi ■ xf) + (6o • xf ■ xf). 

Here, {x\,X2} and {xs, X4} are pairs of symmetric variables, but there is no 
h-symmetry between them because of the existence of the input variables oq 
and bo- However, exchanging {xi, X2} and {xs, X4} and ao and bo keeps the 
function invariant. So, there is what we call g-symmetry between the two 
subsets of input variables, {xi, X2, X3, X4} and {ao, bo}, and 

A = {{xi,X2,X3,X4},{ao,6o}} 

holds. 

Again, we have a case where signatures will be unable to distinguish between the 
variables and thus results in the formation of aliasing groups. Unfortunately, 
practical experiences show that this kind of ^-symmetry appears relatively 
often. One well-known example is an n-bit multiplier, which computes 

</>2 ^ (^ 4 > 2 {Xn,Xn-l, ■ ■ ■ • 4 > 2 {xm,. . . ,X2,Xl)^ , 

where (f)2 '■ {0, 1}* ^ Z is the two’s complement encoding - we assume that 
n is an even natural number. Exchanging and x* for each i = 1, . . . , ^ 
simultaneously keeps the function invariant. The partition A of these variables 
is 

{{xi,x|+i}| i = 

n 

So there are at least 2 2 possible variable correspondences for an n-bit multiplier 
after signature computation. Taking the g-symmetry of the n-bit multiplier 
function into account, this number could decrease by one half, i.e., instead of 
22 possible variable correspondences, only 22 ^ correspondences have to be 
checked, which is still too large in general. 

Moreover, it seems to be very complicated to detect a g-symmetry in gen- 
eral. To be able to handle general g-symmetries, we need a way to detect 
g-symmetric groups of input variables and a way to select those permutations 
of these variables that keep the g-symmetric function invariant. Considering 
the very general property of g-symmetry, this looks like a complicated task. 

In looking for possible ways to handle g-symmetry we made the following in- 
teresting observation. The subsets of input variables that result in a g-symmetry 
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are often eonneeted with each other in the following sense: if we have identified 
the variables of one of these subsets, then it is possible to identify the variables 
of the other subsets as well. With this knowledge we can develop heuristics 
to distinguish between variables of g-symmetric subsets. It works as follows. 
Given a Boolean function f C Bn let us consider the following situation. There 
is a partial, permutation independent order of the n input variables of / con- 
structed by using the signatures presented above. Furthermore, the groups of 
symmetric input variables (see Section 5.1) are identified as well as fhe aliasing 
groups wifh h-symmefric groups of inpuf variables (see Section 5.2). Never- 
fheless, fhere are sfill unidentified groups of aliasing variables. For fhe sake of 
simplicify, say fhese groups we. A\, A 2 , A^. In Ibis sifuafion, we assume 

fhaf all k groups of aliasing variables are connecfed by one g-symmefry and use 
fhe observafion fhaf fhe groups of inpuf variables fhaf resulf in a g-symmefry 
are offen connecfed wifh each ofher in fhe special sense jusf menfioned. 

Now, we jusf assume fhaf fhe inpuf variables of one of fhese aliasing groups, 
say Ai, are uniquely identified. Under fhis assumpfion, we apply a couple of 
funclion signafures fo each variable of fhe ofher k — 1 aliasing groups, i.e., we 
consfrucf function signafures fhaf depend nof only on fhose inpuf variables fhaf 
can be uniquely idenfified buf also on fhose of aliasing group Ai. The basic 
idea of Ibis heuristic is fhaf we may be able fo find a unique function signafure 
for each of fhe inpuf variables in A 2 fo Ak in fhe case of g-symmefry, because 
of fhe connecfion among all k aliasing groups of such a g-symmefry. If Ibis 
is fhe case, we can uniquely idenlify each inpuf variable in fhe aliasing groups 
A 2 fo Ak- Pracfical experiences have shown fhaf offen fhis is indeed fhe case 
[105]. 

Lef us consider an example. Consider fhe Boolean funclion 

/(Ol, 02 , 03 , Xl, X 2 , X 3 ) 

= (oi • (xi + X 2 )') + (o2 • (X2 + X3)') + {as ■ {xs + Xl)'). 

This funclion / is g-symmelric wifh respecl fo fhe variable groups {oi , 02 , 03 } 
and {xi,X 2 ,X 3 }. Lef us see how fhe heuristics works. We pick up one of 
fhese Iwo aliasing groups, say {oi, 02 , 03 }, and assume fhaf we can uniquely 
identify fhese Ihree variables. We assume fhaf oi < 02 < 03 holds. Under 
fhis assumpfion we can apply a function signafure fo fhe ofher Ihree variables 
which may depend on oi, 02 , and 03 : 

/[xi,X 2 ,a: 3 ] = (l, 0 , 0 ) ® 2 , 

f[xi,X2,X3] = (0,l,0) ®3, 

J^[xi,X2,X3] = {0,0,l) ® 1 " 
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And indeed, the variables xi, X2, and X3 can be uniquely identified with these 
signatures. Furthermore, we can use the order relation for function signatures 
to obtain a unique order of the variables x\, X2, and X3. Applying the lexico- 
graphically order relation for Boolean functions (see Definition 2.10 on page 
15 ) the unique order of the three variables is (xs, xi, X2). 

This unique description is not permutation independent. It depends on the 
permutation of the input variables in Ai, which was in the case of the above 
example (ai, 02, 03). So we need a way to make the information permutation 
independent. For this, we consider the permutation r of the input variables of 
/ which results into the current unique order of these variables given by the 
signatures (assuming that there is a unique ordering). In the above example, 
this input permutation r G Ver{{ai,a 2 , 03, xi, X2, X3}) is defined by 

Qi, ify = tti for some i G {1,2, 3 } 

X3, ify = xi 
xi, ify = X2 
X 2 , ify = X3. 

With the help of r, we construct the Boolean function / = / o r. This function 
is stored in a set F. Now, the same procedure is carried out for each possible 
order of the input variables in Ai. 

Table 8.1 lists all the orders of Ai = (oi, 02, 03} in the left column. Each of 
these orders implies an order for the variables jxi, X2, X3} which are listed in 
the right column of the table. 



'r(y) = { 



Table 8.1. Group Symmetry: Computation of F 



Order of {ai, 02, 03} 


Induced order of {xi,X 2 , X3} 


(ai, 02, 03) 


(X3,Xl,X2) 


(01,03,02) 


{X3,X2,Xl) 


(02,01,03) 


(X1,X3,X2) 


(02, O3, Oi) 


(XI,X2,X3) 


(03, Ol, 02) 


{X2,X3,Xl) 


(03, O2, Ol) 


(*2,2; 1,2:3) 



After computation of F, the lexicographical smallest of all Boolean functions 
in F is selected. The variable order which belongs to this function and the 
function itself are the permutation independent information for function /. 

Note, that we can also use any of the other sets of aliasing variables, A2, ■ ■ ■ , A^. 
We suggest to use one of those sets with minimal size, since this reduces the 
number of steps necessary to construct set F. 
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5.4 The variety of ^-symmetry 

We introduced three kinds of ^-symmetry that cover a wide range of symme- 
tries appearing in practice. For these symmetries there are efficiently working 
solution paradigms for the permutation equivalence problem [105]. Neverthe- 
less, it seems to be not possible to find a general solution paradigm which allows 
us fo handle ^-symmefry efficienlly because of fhe generalify of fhis funclion 
properly. Each kind of ^-symmelry seems lo demand a special procedure lo 
handle if. Allhough we feel lhal fhe ^-symmelries inlroduced here are Ihose 
moslly appearing in praclice, olher symmelries may appear as well. 

Lei us presenl one of Ihese ^-symmelries. Consider Ihe Boolean function 

/ = (Xi • X 2 ) + (X2 • Xz) + (X3 • X4) + (X4 • X5) + (X5 • Xi). 

Il is obvious lhal rolaling Ihe five variables in function / does nol change 
Ibis function. So il is a ^-symmelry as well. All five inpul variables of Ihe 
Boolean function / will form one aliasing group lhal cannol be refined by 
using signalures. Furlhermore, Ihere are no partial, no hierarchical, as well 
as no group symmelries belween Ihese inpul variables. We call Ibis kind of 
symmelry rotational symmetry. 



Definition 8.10 (rotational symmetry) Let f e Bn be a Boolean 
function. Let 



y = [yi,V2, ■■■,Vk] ^Xn 



be a subset of the input variables of f. Let r G Ver{Xn) be the permutation 
on Xn which is defined by 



(VXj G Xn) T{Xi) 



V{j mod k)+v ifxi = Vjfor some j G Nfc 
Xi, ifxi 0 Y 



f is rotational symmetric (r— symmetric) if and only if 



■ k >3, 

■ / is not partial symmetric in Y, and 

■ / does not change on applying the input permutation r to the variables of 



Y. 



Note lhal also Ihe inpul permulalion keeps / invarianl as well as applying 
r more lhan once, since Ihe sel Q C Ver{Xn) which is conslrucled by an 
r-symmelry is a group. Similar lo group symmelry, r-symmelry is neilher easy 
lo delecl nor easy lo handle. Furlhermore, Ihe heuristic applied for Ihe group 
symmelries, (i.e., assume one of Ihe inpul variables of Y has been uniquely 
identified by a signalure, Ihen fry lo use function signalures lo distinguish 
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between the others as well) does not work very well for rotational symmetry, as 
experiments have shown. Rotational symmetry illustrates the difficulties that 
may appear in general with ^-symmetries. 

However, partial symmetries, hierarchical symmetries, and group symmetries 
seem to be the most common ^-symmetries appearing in practice. So, the 
algorithms presented for handling these symmetries have direct practical impact 
to the complete solution of the permutation problem. For some insights into 
practical experiences with using these techniques we refer to [105]. 




204 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



Notes 

1 As already said in connection with Definition 8 . 1 on page 1 7 1 , a permutation 
f of Nn induces a permutation r G Ver{Xn) defined by 

Vx^ G Xrfi . T^Xj^ x^^2)? 

and vice versa. It also induces a permutation r G Ver{{D, 1}”) defined by 

t(xi , . . . , X|^) (^r(l) ? • * • ? ^rin) ) * 

For the sake of simplicity, we use f, t, and r interchangeably and use the 
notation r for each of the three functions. 
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EQUIVALENCE CHECKING 
OE SEQUENTIAL CIRCUITS 




The current output of digital circuits may depend not only on the current as- 
signment of the primary inputs but on previous values also. Sequential circuits 
allow to store information of the history of previous values in internal storage, 
i.e., flipflops, registers, and random access memories. The current values of 
these storage elements constitute the state of the sequential circuit. 

In theory, any digital system can be modelled as a finite-state machine (FSM). 
There is a well-developed theory for analyzing FSMs, including checking their 
equivalence [75]. We are going to give a detailed introduction to this formal 
basics in Chapter 9. Section 3 of Chapter 9 is going to dwell on state space 
traversal which is the basis of most of the general equivalence checking methods 
for sequential circuits. 

In most cases, equivalence checking is applied to sequential circuits to show 
that certain circuit modifications have not altered the functional behavior of the 
circuit. Often, the state encoding of both circuits remains the same. In this 
special case it is not necessary to perform a costly state space traversal. It is 
sufficient to compare the Boolean output function and a state transition function 
which can be considered as combinational circuits when the correspondence 
of the latches of the two sequential circuits to be checked can be established. 
As already explained in the motivation of permutation independent Boolean 
comparison (Chapter 8), there are several cases in with the correspondence may 
get lost. Here the verifier has fo be able fo esfablish fhe lafch correspondence 
based on fhe individual functions fo avoid time consuming sfafe space fraversal 
[118]. Chapter 10 is going fo deal wifh fhis lafch correspondence problem. 
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Chapter 9 



FORMAL BASICS 



In Section 1 basic notations with regard to the theory of sequential circuits 
are reviewed. In particular, we concentrate on the definition of finite state 
machines and their representations. Section 2 gives a formal definition of the 
equivalence of finite state machines and reviews the traditional basic methods 
to compute state equivalences. Algorithms for traversing the state space of a 
finite state machine are presented in Section 3. They are the basis of most of 
the equivalence checking procedures for sequential circuits known in literature. 
The chapter closes with error trace generation. 

1. Finite State Machines and their representations 

Finite state machines are critical for realizing the ""decision-making" logic in 
digital logics. Since in hardware implementations, nondeterminism should not 
appear, we only consider deterministic finite automata, in the following. 

1.1 Basic definitions 

There are two basic ways to organize clocked sequential circuits, Moore au- 
tomata and Mealy automata. 

Definition 9.1 (moore automaton) 

A Moore automaton is a tuple M = (5, 1, O, 6, A, r). It consists of 

■ a finite set S C {0, 1}'^ of states for some constant q G N, 

■ a finite set I C {0, 1}” of input symbols for some constant n G N, 

■ a finite set O C {0, 1}™ of output symbols for some constant m G N, 
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■ a transition function S : S x I ^ S which takes as arguments a state s 
and an input symbol w and returns the state that the automaton enters after 
processing input symbol w in state s. 

■ an output function X : S ^ O which specifies the output of the automaton 
depending on the present state, and 

■ a start state r G S. 



Figure 9. 1 illustrates the definition of a Moore automaton. Here, we consider 



state 

register 




m binary 
outputs 



clock 



Figure 9.1. Moore machine [70] 

sequential circuits with reset lines, i.e., circuits which are in a definite initial 
state r after power-on. Outputs are computed by a combinational logic circuit 
whose only inputs are the state outputs, which we denote as present state vari- 
ables in the following. Thus the outputs change synchronously with the state 
transition and the clock edge. Both facts are desirable properties of real hard- 
ware controllers because fully synchronous finite state machines with reset lines 
are much easier to implement and debug than asynchronous automata without 
reset lines. Furthermore, since we focus on given hardware implementations 
of such automata, states, input symbols, and output symbols are considered to 
be binary encoded. 

Moore automata are special Mealy automata which are a more general concept, 
from a practical point of view. Often, a Mealy automaton can generate the same 
output sequence in fewer states than a Moore automaton. 
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Definition 9.2 (mealy automaton) A Mealy automaton is a tuple M = 
{S, I, O, S, A, r). S, I, O, 6, and r are defined as in Definition 9.1. Output 
function A is a function that specifies the output of the automaton depending on 
the present state and the present value of the input, i.e., X : S x I ^ O. 

The outputs of Mealy automata depend on the present state and the present value 
of the primary inputs. Figure 9.2 illustrates this inherent asynchronous behavior. 
The outputs can change immediately after a change at the inputs, independent of 



state reset 
register 



n binary 
inputs 



eombinational 
logic of the 
transition funetion 
and the outputs 






state feed baek 



cloek 



m binary 
outputs 



Figure 9.2. Mealy machine [70] 



the clock. Such glitches are undesirable in real hardware controllers. This leads 
to an alternative synchronous design style for Mealy automata by synchronizing 
the Mealy automata outputs with output flipflops as shown in Figure 9.3. In 
this book, we concentrate on such synchronous Mealy automata, which we 
call Finite State Machines (FSM). Note that there should be no glitches at the 
outputs of synchronous Mealy automata. 

Since we are interested in what happens when we start in a state s and follow 
a finite sequence w ^ of input symbols, we define the extended transition 
function 

5+ : 5 X /+ ^ 5 
and extended output function 
A+ : 5 X /+ ^ 0+ 

which are defined for all s G S' and m G as 

J (5(s, w) , if |m| = 1 

\ ,if|m|>2 



w) 
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clock 



m binary 
outputs 



Figure 9.3. Synchronous Mealy machine [70] 



and 

A“*'(s, w) 



A(s, w) , if |w| = 1 

(A+(s,u;i..,|^l_i), A((5+(s,n;i,..|^l_i),u>l^|)) ,if|w|>2 ’ 



respectively. 

For a subset T C 5 of the states, the set of the states of S which can be reached 
from states of Tis denoted by REACHm(T), or REACH (T) in short, which 
is formally defined as 



REACH{T) = r U {s G G T 3m G /+ : (5+(f, w) = s}. 



Furthermore, let PRED{T) and SUCC{T) denote the set of the immediate 
predecessors and successors, respectively, of states of T, i.e.. 



PRED{T) = {s G 5; 3f G T 3m G I : 5{s, w) = t] 



and 



SUCC{T) = {s G 5; 3t G T 3m G / : <5(f, m) = s]. 



1.2 Representations of Finite State Machines 

Basically there are two different categories of FSM representations - explicit 
and implicit representations. 



1.2.1 Explicit representations 

The traditional approach to represent an FSM M = (5, /, O, 6, A, r) is to list 
for each state s and each input symbol w G I the next state 6{s, m) and the 
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output symbol A(s, w). Since the states, input symbols, and output symbols are 
encoded, the transition function S and the output function A are (incompletely 
specified) Boolean functions, 

5:{0,l}'?x{0,ir^{0,l}^ 

and 

A:{0,l}^x{0,ir^{0,l}"^. 

Thus, they can be represented as truth tables (see Chapter 3 Section 2.1). 

A more pictorial representation of an FSM is the state transition diagram which 
is a directed graph G = (5, E, label) whose nodes are given by the set S of 
the states of the FSM. There is an edge e ^ E from state s to state t labelled 
with w\y, i.e, label{e) = w\y, if and only if there is an input symbol w £ I 
such that 6{s,w) = t and \{s,w) = y hold. For illustration, see the state 
transition diagram shown in Figure 9.4 (where we have not encoded the states, 
for the sake of simplicity). In this figure, fhe following finile sfafe machine is 



00|0 




01J0 




11J0 








J.AS1 




00|1 




10|1 




11|1 



10|0 



Figure 9.4. Serial Adder [17] 



represented: M = ({sO, si}, {0, 1}^, {0, 1}, (5, A, sq) wifh 



5{s, w) 



sO , if s = sO and m G {00, 01, 10} 

si , if s = sO and w G {11} 

si , if s = si and m G {01, 10, 11} 

sO , if s = si and w G {00} 



and 

r 0 , if s = sO and w G {00, 11} 

1 1 , if s = sO and m G {01, 10} 

0 , if s = si and w G {01, 10} 

1 , if s = si and w G {00, 11}. 



A(s, w) 



< 
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It describes a serial adder. In the clock cycle, the FSM is in state sO, if the 
carry-bit Ci_i of position i — 1 was 0; otherwise it is in state si. Note, that sO 
is the start state as well. The ith bit a* and bi of the two operands a and b are 
read. The corresponding sum-bit which is Cj_i © determines the output. 

The carry-bit q which is (oj • bi) + ((oj © bi) ■ Cj_i) determines the transition. 

Unfortunately, it can be difficult to describe complex FSMs in this way. Just, 
consider a counter modulo 2'^. This sequential circuit consists of 2'^ states. Of 
course, it cannot be represented by an explicit representation whenever q is 
large. 

1.2.2 Implicit representations 

In contrast to the tabular form, an implicit representation of an FSM does not 
explicitly enumerate the states. The basic idea is to represent the transition 
function 

5 : { 0 , 1 }'?+’^ ^ { 0 , 1 }*? 
and the output function 
A : {0,1}^+’^ ^ {0,1}”^ 

by q and m ROBDDs (or combinational circuits), respectively. 

For illustration, consider the counter modulo 2”? from above, once again. Let 
Sq-i, . . . , So be the present state variables and assume that for all c G No, the 
equation 

q-l 

c mod 2^ = ^ Sj2* 
i=0 

holds after c clock cycles. It is easy to see that the transition function can be 
represented by q ROBDDs Ag_i, . . . , Aq of linear size, i.e., |Aj| = 0{q), 
such that Aj determines the i*^ bit-position of the next state. Figure 9.5 shows 
ROBDD Ai. 

This proves that large FSM can be compactly represented by ROBDDs. Further- 
more, remember that we have shown in Chapter 3, that ROBDDs are particularly 
suitable for both, analysis and synthesis of Boolean functions. 

2. Equivalence of Finite State Machines 

Before going into details, we have to formally define fhe equivalence of fwo 
FSMs. Infuifively, fwo finife slate machines M\ = (5i, Ii, Oi, 5i, Ai, ri) and 
M2 = {S2, 12,02,62, \2,r2) are equivalenl if Ihey have fhe same inpul/oulpul 
behavior, i.e., Ii = I2, Oi = O2, and for an arbilrary inpul sequence w C Ii 
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Figure 9.5. ROBDD Ai of the counter modulo 2”^ 

applied to both start states r\ and V2 the same output sequenee results. To 
formalize this notion, we have to introduce equivalent states. 

Definition 9.3 (functionally equivalent states) 

Two states si G and S2 G S2 are functionally equivalent, written si ~ S2 if 
and only if 

fw G : A)*" (si, tu) = (s2, w ). 

Otherwise, we say that si and S2 are distinguishable and write si 9^ S2- 

Definition 9.4 (functionally equivalent machines) 

The finite state machines M\ and M2 are called functionally equivalent, written 
Ml ~ M2, if the start states r\ andr2 are functionally equivalent, i.e., r\ ~ r2- 

Although Definition 9.3 is given for two different automata, it can be used 
for a single FSM to find equivalent states. To ease the presentation of basic 
algorithms for deciding whether two states are equivalent, we introduce a further 
notion. 

Definition 9.5 (c-equivalent states) 

Two states si G Si and S2 G S2 are c-equivalent for some constant c G N, 
written si ~c S2, if 
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Otherwise, we say that si and S2 are c-distinguishable and we write si •S2- 

It is obvious, that two states si G 5i and S 2 G S 2 are distinguishable if and 
only if there exists a constant c G N such that si and S 2 are c-distinguishable. 

2.1 The table-filling algorithm 

The basic algorithm for finding the states of an FSM M = (5, /, 0, 5, A, r) 
which are equivalent is a recursive discovery of distinguishable pairs. It is 
known as table filling algorithm [62]. Instead of computing pairs of equivalent 
states, it concentrates on finding pairs of states that are distinguishable. In an 
initialization step, all pairs of states which are 1 -distinguishable are marked. 
As noticed, these pairs of states are distinguishable. Then, we are looking 
for pairs of states p and q such that for some input value w C I, 6{p, w) and 
5{q, w) are a pair of states known to be distinguishable. It is easy to see, that in 
this case p and q are distinguishable, too. They are marked by the algorithm. 
The algorithm stops if no such pair can be found, any more. A sketch of the 
algorithm is shown in Figure 9.6. 

The algorithm computes the set E of pairs of states which are equivalent since 
any pair of states which is not marked by the algorithm is functionally equiva- 
lent. 

Theorem 9.1 ([62]) 

If two states are not distinguishable by the table-filling algorithm, then the 
states are equivalent. 

Proof : Assume that there is a pair of states which is distinguishable although 
the table-filling algorifhm does nol find if. We call fhis pair a bad pair. 
Because of fhe inifializafion sfep of fhe fable-filling algorifhm, fhe algorifhm 
marks all pairs of sfafes which are l-disfinguishable. 

Now, lef m G /'*' be fhe shorfesf sequence which disfinguishes a bad pair. Lef 
{p, q} be a bad pair wifh 

A+(p,u>) / A+(q, w). 

Because of fhe inifializafion sfep of fhe fable-filling algorifhm, fhe sfafes of bad 
pairs are 1-equivalenf. Thus fhe lengfh |m| of sequence w has fo be larger fhan 
1 and if follows for s = S{p,wi) and t = 6{q,wi) 

= X'^{p,w)2...\nj\ 

/ X~^{q,w)2,„\w\ since A+(p, w) A w) butp ~i g 

= A+((5(q,ml),n;2,..|^„|) 
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TART.F. FT T.T. TNGfM) 

begin 

E = {{p, q}-,p,qeS andp ~i <j}; 

// E contains the pairs of states that are 1 -equivalent 
D = {{p,q}-,p,qGS}\E- 

// D contains the pairs of states found to be distinguishable 

repeat 

found! = 0; 
foreach {p, q] £ E Ao 
found2 = 0; 
foreach w G 7 do 

if ({(5(p,w),<5(q,w)} G D) 

then£; = £;\ {{p,q}}; 

D = D\j{{p,q}}\ 
found! = found2 = 1; 

fl; 

od until found2==!\ 

od; 

until found!==0\ 
return E\ 

end; 



Figure 9.6. Table-filling algorithm 



That is, s and t are distinguishable by a sequenee which is smaller than w. 
Because of the choice of w, the pair {s, t} is found to be distinguishable by the 
table-filling algorithm and the table-filling algorithm does not stop until the pair 
{p, q} is marked as well. This is a contraction to our assumption that {p, q} is 
a bad pair. ■ 

Let us now check the equivalence of two FSMs M\ = {Si, I, O, i 5 i, Ai, ri) 
and M2 = {S2, 1 , O, 62, A2, T2). Therefore, let us construct the FSM M\ U M2 
which is the ’’disjoint union of M\ and M 2 ”. Let us assume without loss 
of generality that 5 i C {0, 1 }'^, S2 C {0, 1 }'^, and O C {0, 1 }^ for some 
q,m gN. Then, formally the FSM Mi U M 2 can be defined as 

M 1 UM 2 = (5lu;^U{p},/,Ou{r},(5,A,p) 



with 
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= {0}x{l}x5i 
^2 = {1} X {0} X 52 
p = (0,...,0)G{0,ir+2 



O = {1} X O 

T = (0,...,0)G{0,ir+i 



r (0, 1,5 i(s 3...<7+2, W')) ,if (si,S 2 ) = (0,1) 
5{s,w) = I (l,0,52(s3...g+2, W')) , if (si,S 2 ) = (1,0) 
[ P ,ifs = p 



( (1, Al(s 3 „.g+ 2 ,w)) ,if (si,S 2 ) = (0,1) 

A(s,'w) = < (1, A 2 (s 3 „.g+ 2 ,?l^)) ,if (si,S 2 ) = (1,0) 

[ T , if s = p. 

That is, the encodings of the states of the FSM Mi have sequence (0, 1) as 
prefix and the encodings of the states of FSM M 2 have sequence (1,0) as 
prefix. In some sense, Mi U M 2 is absurd since fhe FSM remains in fhe sfarf 
sfafe p independenfly of fhe inpuf sequence applied. However, applying fhe 
fahle filling algorifhm fo Mi U M 2 resulfs in fhe compufafion of all pairs of 
sfafes which are equivalenf. Thus, M\ and M2 are funclionally equivalenf 
FSMs if and only if fhe pair ((0, 1, ri), (1, 0, r 2 )) is found equivalenf hy fhe 
fahle-filling algorifhm. 

2.2 Product machine 

Anofher approach which is similar fo fhe fahle-filling algorifhm is based on fhe 
so-called producf machine, or producf aufomafon, of fwo FSMs. In facl, if is 
fhe algorifhm used by foday’s verificafion engineers. 

Definition 9.6 (product machine) Given two finite state machines Mi 
and M 2 with Mi = {Si, I, O, 6i, \i,ri)for f = 1, 2. The product machine 

Ml X M2 = (5mixM 2) -f) OmixM2) Aai-^xM2) ''’M1XM2) 
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of Ml and M 2 is an FSM with 



■ SmixM2 = Si X S 2 , 

■ OmjxM2 = {0, 1}, 

■ SmixM 2 {{si,S 2 ),w) = { 6 i{si,w),S 2 {s 2 ,w)), 

■ AmixM 2 (('Si,S 2 ),'w) = 1 Xi{si,w) = X 2 {s,w), and 

■ ?’MixM 2 = (n,'T2)- 

A s ofSMi X M 2 i^ called differentiating state if there exists an input symbol 

w £ I such that X{s,w) = 0. Furthermore, a sequence w £ M of input 
symbols is called distinguishing sequence for s if X'^{s, w) = 0. 

Obviously, FSMs Mi and M 2 are functionally equivalent if and only if no 
differentiating state s £ Smi x M 2 can be reached from start state x M 2 iri 
the product machine Mi x M 2 , i.e., 

Theorem 9.2 Two FSMs Mi and M 2 are equivalent if and only if 
Vs G REACHMixM 2 {{{ri,r 2 )}) fw £ I : XmixM 2 {s,w) = 1- 

In order to decide equivalence, a traversal needs to be performed on the product 
state space. We are going to focus upon this subject in the next section. 

3. State space traversal 

Equivalence checking of FSMs, typically proceeds by traversing the state space. 
In this section, we will concentrate on this problem and propose the basic 
algorithms for efficient state space traversal. 

3.1 The basic approaches 

There are two different approaches for state space traversal, forward and back- 
ward traversal. Both algorithms are sketched in Figure 9.7 and Figure 9.8. They 
refer to the approach proposed by Theorem 9.2. 

3.1.1 Forward state space traversal 

Mathematically, reached state computation which is the process of taking the 
start state r and finding all sfafes reachable from fhis slate, i.e., all slates s such 
lhal Ihere is a sequence of inpul symbols which leads Ihe FSM into s from Ihe 
slarl slate, is performed by a fixed poinl calculalion [32, 122]: 



REACHo = {r} 
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REACHk+i = REACHk U SUCC{REACHk). 



The algorithm of Figure 9.7 is based on this principle. It realizes a forward 
traversal of the product automaton. 



FORWARD _TRAVERSAL(M) 

// M is the product automaton of two FSMs Mi and M 2 

begin 

REACH = {r}; 

// REACH contains the state visited by the algorithm 
FRONT = REACH; 

// FRONT contains those states of REACH which 
// have not yet been tested whether new states are reachable 

repeat 

if (3s e FRONTJw G / : A(s, w) == 0) 
then return "The FSMs are not equivalent"; 

fl; 

FRONT = SUCC{FRONT) \ REACH; 

REACH = REACH U FRONT; 
until FRONT==0; 

return "Both FSMs are equivalent"; 



Figure 9. 7. Sketch of the equivalence checking of FSMs by forward state space traversal. 



During the initialization phase, variable REACH is set to {r}. Variable 
FRONT contains those states of variable REACH whose successors have 
not yet been visited. 

In each iteration, the algorithm determines SUCC{FRONT). The new front 
is given by these successors but the states already contained in REACH. If the 
algorithm encounters a differentiating state s, i.e., A(s, ru) = 0 for some input 
value tu G I, it reports that the FSMs under verification are not equivalent 
and stops (see Theorem 9.2). If the assignment of REACH is stable, i.e., 
REACH = SUCC(REACH) which is equivalent to FRONT = 0, then 
all the reachable states have been visited and both FSMs are equivalent since 
no differentiating state could be reached from start state r. 
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3.1.2 Backward state space traversal 

Backward traversal moves through the state space in the opposite direction. It 



BACKWARD_TRAVERSAL(M) 

// M is the product automaton of two FSMs Mi and M 2 

begin 

FRONT = {s e 5; e / : A(s, w) == 0}; 
EQUIV = S\ FRONT-, 

repeat 

if(r e FRONT) 

then return "The FSMs are not equivalent"; 

fl; 

FRONT = PRED{FRONT) n EQUIV', 
EQUIV = EQUIV \ FRONT', 
until FRONT==ib', 

return "Both FSMs are equivalent"; 

end; 



Figure 9.8. Sketch of the equivalence checking of FSMs by backward state space traversal. 

starts with set FRONT which now contains the differentiating states of the 
product machine. Then, it iteratively computes the predecessors of these dif- 
ferentiating states. If during backward traversal the start state r is encountered, 
a differentiating state can be reached from r and both FSMs are not equivalent. 
Note that in each iteration, the new front is obtained by intersecting the set 
of the predecessors of FRONT and the set EQUIV which contains the states 
which have not been in the front, yet. This is motivated by the fact that the 
FSMs under verification are not equivalent if and only if there is a simple path 
(so, • • -,Sj) with 



■ So = T, 



■ Vi G {0, . . . , j - 1} : Si+i G SUCC{{si}), 

■ Vi G {0, . . . , j — 1} : Sj is a non-differentiating state, and 



■ Sj is a differentiating state. 






222 



EQUIVALENCE CHECKING OE DIGITAL CIRCUITS 



3.2 ROBDD based implementation 

The crucial operation of forward and backward state space traversal is the 
computation of the set of successor states and predecessor states, respectively. 
Both operations can be efficiently executed by using implicit representations 
of sets of states. 

Definition 9.7 (implicit representation of set of states) 

Let T C {0,1}'^ be a subset of states. Then subset T is uniquely represented 
by the characteristic function xt ■ {0, ^ {0, 1} defined by 

Vs G {0, 1}'' : Xt{s) = 1 s G T. 

Analogously, the transition function (5 of an FSM can be represented as a 
Boolean function as well. We just have to take the characteristic function 
of the state transition relation. 

Definition 9.8 (state transition relation) Given a finite state ma- 
chine M = (5, 1, O, S, A, r), the state transition relation A C S x I x S of M 
is defined as 

Vs, t G {0, Vw G {0, : (s, w,t) £ A 6{s, w) = t. 

The characteristic function XA of A is a Boolean function of B2q+n defined 
on 2g + n variables, a\, . . . ,aq, tui, . . . , cOn, and ri, . . . , r^, which we call 
present state variables, input variables, and next state variables, respectively. 
For illusfralion, we can consider fhe presenf slate variables as Ihe oulpuls and 
Ihe nexl slate variables as fhe inpuls of Ihe slate register (see Figure 9.3). 

3.2.1 Implementation of forward traversal 

With the new definitions let us consider the algorithm for equivalence checking 
of FSMs by forward state space traversal again. 

Let s,t £ {0, 1}*? be two states, T be a subset of states, and w £ {0, 1}"^ be an 
assignment to the input variables uj\, . . . ,uin- Now, state s is element of T and 
the FSM moves from s to t under the assignment w if and only if the expression 

Xt{s) ■ XA{s,w,t) 

evaluates to 1 . Thus the characteristic function of 

{(s, w, t) £ {0, i} 29 +>t-. s £ T and 5(s, w) = t} 
is given by 

Xt('Ti, . . . , Cq) • Xa(< 71) • • • ) <7ij) ^1) • • • ) ^ni Tl; • • • ; Tj). 
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FORWARD _TRAVERSAL(M) 

begin 

XREACH = X{r>; 

Xfront = Xreach', 

repeat 

if ((X-F'-ROJvt(o') • NOT{X{a,u>))) / 0) 
then report "The FSMs are not equivalent"; 

fl; 

Xsucc = (3u;,ct : Xfront{o-) ■ xa(ct, tu, r)); 
Xfront = Xsucc ■ NOT{xreach)’, 
Xreach = Xreach + Xfront', 



until Xfront==0', 
report "Both FSMs are equivalent"; 

end ; 



Figure 9.9. Equivalence Checking of ESMs by forward state space traversal. 



We obtain the set {(s,t); s ^ T and t G SUCC{.s)} by performing an exis- 
tential quantification over the input variables, that is 

(3a;i, . . . ,Wn : Xt{cT 1, ■■■,crq) ■ XA{cri, . . . , aq,UJl, . . .,UJn,n, . . .,Tq)) 



or 



(3a; : xt(ct) • xa(o-, a;, r)), 

in short. By further performing an existential quantification over the present 
state variables, we obtain the characteristic function of SUCC{T), that is 

XsucC{T){r) = (3cJ : (3a; : xr(o-) • xa(ct, a;, r))). 

Thus if both, the Boolean function xt and the Boolean function XA are given 
by ROBDDs, then the ROBDD of the characteristic function Xsucc{T) of 
SUCC{T) can be computed by performing the AND of the given ROBDDs 
and an existential quantification over the input variables and the present state 
variables. Both operations, the logical-and operator and the existential quan- 
tification which is performed q + n times can be executed in polynomial time 
as shown in Chapter 3. 
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Finally, the branch condition (3s G FRONT 3w G I : \{s,w) == 0) can 
be realized as 

{xfront{o') ■ NOT{X{a,u!))) / 0. 

All these considerations result in the algorithm shown in Figure 9.9. Note that, 
in order to be accurate, the statement 

Xfront = (3w,cr : Xfront{ct) ■ xa{o-,ui,t))] 

has to be replaced by 

Xfront = (3uj,a : xfront{ct) ■ 

in each iteration, i.e., the variables t\, . . . ,Tq have to be substituted by the 
variables a\, . . . ,Gq. 

3.2.2 Implementation of backward traversal 

Analogously, the backward state space traversal can be implemented. The 
implementation is shown in Figure 9.10. According to the considerations from 



BACKWARD_TRAVERSAL(M) 

begin 

Xfront = ( 3 w : NOT{\(a,uj))); 

Xequiv = Xs ■ NOT{xfront)', 

repeat 

if ((X{r> • Xfront) A 0) 

then report "The FSMs are not equivalent"; 

fl; 

Xpred = ( 3 a ;, r : Xfront{t) ■ xa(o-, cu, r)); 
Xfront = Xpred ■ Xequiv', 

Xequiv = Xequiv ■ NOT(xfront)', 
until xfront==0’, 

report "Both FSMs are equivalent"; 

end ; 



Figure 9.10. Equivalence checking of FSMs by backward state space traversal. 

above, it is easy to prove that 

XPRED{T){cr) = (3(j,r : xt{t) ■ xa{t , uj , t)) 
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holds. The implementation of the remaining operations of the algorithm shown 
in Figure 9.8 is straightforward as well. 

3.3 Error trace generation 

When the FSMs under veriheation are not equivalent, a simple negative answer 
of the verification algorithm is unsatisfactory. It is usually desirable to derive 
an input sequence that distinguishes the two FSMs. This process is called error 
trace generation. 

Without loss of generality, let us concentrate on the forward state space traversal 
algorithm. We have to extend the algorithm such that distinguishing input 
sequences can be generated. For this purpose we have to store the front of each 
iteration cycle separately. Figure 9.11 shows the extended algorithm. 

Now, error trace generation is rather easy. Assume that the procedure ER- 
ROR_TRACE_GENERATION is called with the parameters f G N and errori G 
S, i.e., errori G FRONT[i] . Eirst, we have to look for an input value Wi such 
that the distinguishing state errors actually outputs 0, i.e., \{errori, Wi) = 0. 
Input value Wi is the last element of the distinguishing input sequence which is 
generated. The next step is to find a predecessor sfafe of error* which is closer 
fo sfarf sfafe r. Eor fhis purpose, jusf compufe 

PRED{{errori}) n FRONT[i — 1] 

and pick a sfafe errori-i from fhis infersecfion. The (f — l)th elemenf of fhe 
disfinguishing inpuf sequence is sef fo some G I such fhaf 

5(errorj_i, ruj-i) = errori. 

In fhe same manner, fhe procedure compufes fhe remaining (inverse) pafh 
errori-2, . ■ ■ , errori and fhe corresponding inpuf values wi-2, . . . ,wi G L 
Since FRONT[l] only consisfs of sfarf sfafe r, sfafe errori is fhe sfarf sfafe 
and tui , . . . , m* is a disfinguishing inpuf sequence. 
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FORWARD _TRAVERSAL_WITH_ERROR_TRACE_GENERATION(M) 

begin 

i = 0; 

REACH = {r}; 

FRONT[l] = REACH-, 

II FRONT[i] is the front of the ith iteration 

repeat 

i + +; 

if (3 s e FRONT[i\ 3w £ 7 : A(s, w) == 0) 
thenERROR_TRACE_GENERATION(M,i,s); 

fl; 

FRONT[i + 1] = SUCC{FRONT[i]) \ REACH-, 

REACH = REACH U FRONT[i + 1]; 
until FRONT[i + 1]==0; 

report "Both ESMs are equivalent"; 

end; 



ERROR_TRACE_GENERATION(M,i, error) 

begin 

w = [PICK_ONE_ELEMENT_OF({w G 7; A(error,w) = 0})]; 

for j = i — I downto 1 
do 

pred = PICK ONF. E T. F.MF.NT nF(PREn{{error}) n FRONT[j])-, 
w = [PICK ONE E TEM ENT OF({?) G 7; 5{pred,v) = error}) ]ow; 
// "o" denotes the concatenation of finite sequences 

error = pred-, 

od; 

return w; 

end; 



Figure 9.11. Forward state space traversal with error trace generation 
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THE LATCH CORRESPONDENCE PROBLEM 



This chapter addresses the problem of establishing the unknown correspon- 
dence of the latches (memory elements) of two sequential circuits which have 
the same encoding of their states. When circuit modifications do not alter the 
state encoding, this Latch Correspondence Problem has to be solved in or- 
der to reduce the sequential equivalence checking problem to an equivalence 
check of combinational circuits. If a correspondence of the latches in the two 
sequential circuits can be established, then it is possible to break the circuits 
into corresponding combinational blocks (cf. Figure 9.1 and Figure 9.3) and 
the verification problem reduces to an equivalence check of the combinational 
circuits defined by fhe lafch boundaries [77, 117]. In fhis case, fhe sequenfial 
circuifs fo be considered are functionally equivalenf if fhe combinafional blocks 
are funclionally equivalenf. 

There are several cases in which fhe correspondence may exisf buf is unknown. 
For example, exisfing commercial fools doing design Iransformalions, such as 
synfhesis or clock free inserfion, oflen do nol preserve signal names. So if 
becomes impossible fo esfablish a lafch correspondence wifhouf furfher help. 
This especially happens when a hierarchically specified design is being flaffened 
as parf of fhe fransformafion. 

Several approaches fo compute lafch correspondences have been proposed in 
liferafure [24, 141, 107]. In fhis chapter we concenfrafe on fhe approach pre- 
senfed in [107] which can be easily included whenever ROBDDs (see Definilion 
3.6 on page 31) are used as fhe represenfafion form in fhe verification fool. Ex- 
perimenfal runs applied fo a large sef of benchmarks have proven fhe efficiency 
of fhe approach [107]. 

The combinational equivalence check on fhe primary oufpuf and fhe fransifion 
functions can be done using ROBDDs as shown in Chapter 4. Since ROBDDs 
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are a canonical form for representing Boolean functions for fixed variable order, 
equivalence check reduces to checking if the two canonical forms are the same 
[15, 20]. However, without the correspondence of the latches the ROBDDs of 
the combinational blocks of the two finite state machines under consideration 
could be ordered with respect to different variable orders and we cannot simply 
check whether both ROBDDs are the same. Thus, we need to establish this 
correspondence first. Given k latches, there are kl possible correspondences. 
This rules out any exhaustive algorithms for establishing the correspondence 
for circuits encountered in practice. 

There is a similar problem in combinational logic verification which we have 
discussed in Chapter 8, the permutation independent Boolean comparison. The 
new problem does not only resemble the permutation independent Boolean 
comparison but there is a similar approach to solve it as well. Again, signature- 
based methods can be successfully applied. These methods can be especially 
used as an enhancement to commercial tools solving the problem, i.e., it can 
be reserved for tough cases where those tools fail. It can be applied to those 
pairs of sequential circuits where a direct correspondence between the latches 
is possible, i.e., there is the same state encoding. 

The application is straightforward, namely derive signatures for each latch in or- 
der to uniquely identify this latch. In [121], the authors have used this method 
to identify corresponding latches in order to be able to simplify the product 
machine traversal for sequential verification. There, they have used input sig- 
natures and have made the observation that sometimes the task still remains 
too complex. The ideas presented in [107] are able to improve these results. 
They do not just combine the input signatures known from literature, but also 
develop novel signatures which are especially suited for the latch equivalence 
problem. These signatures give better results, i.e., the set of pairs of latches 
which are candidates for correspondence is determined more precisely. 

The chapter starts with a problem description in Section 1. Section 2 describes 
the differences between establishing unknown input variable correspondence 
and establishing unknown latch correspondence, introduces special signature 
functions for latches which can be easily computed on ROBDDs, and explains 
the solution paradigm which uses these signature functions on an example. 

1. Problem description 

For illustration, we refer to Figure 10.1a and Figure 10.1b. 

Let Tn^m,k be the set of the finite state machines (FSM) with n primary inputs 

X = [xi,X2, . . . ,Xn], 

m primary outputs 

y = [yi,y2, ■ ■ • ,2/m], 
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output 

state register 

register 




Figure 10.1a. A synchronous Mealy machine F 




Figure 10.1b. The combinational block Com{F). 



and k latches 

L = [^ 1 , h, - ■ ■ , h]- 

For our purpose, we can concentrate on the combinational blocks of the se- 
quential circuits in lFn,m,k- The combinational part Com{F) of a sequential 
circuit F G Fn,m,k can be regarded as a Boolean function with n + k primary 
inputs and m + k primary outputs. Let 

U = [ui,U2, . . . ,Ufc] 

be the additional inputs and let 

V = [VI,V2, ■..,Vk] 
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be the additional outputs which both correspond to the latches ’’removed”. We 
assume that for all j G Uj and vj denote the output and the input of the same 
latch Ij, respectively. Furthermore, let us denote the /c-ary transition function 
of F by 

^ — [<^1) • • • ) ^k] C 13n+k,k 

and the m-ary output function of F by 

^ — [^1) • • • ) -^m] C Bn-\-k,m- 

Now, the latch permutation equivalence problem can be formally defined. 

Definition 10.1 (latch permutation problem) Given two sequen- 
tial circuits G lFn,m,k’ latch permutation equivalence problem 

which is also referred as latch correspondence problem is the decision problem 
as to whether a correspondence vr between the latches of F^^'i and F^‘^'1 ex- 
ists, such that the two synchronous sequential circuits F^^'l and F^'^'l have their 
combinational parts functionally equivalent using this correspondence. More 
formally, the problem is to find a permutation n G 'Per(Nfc) such that for all 
j G Nm 

™ ,,(l) „(l) ^ ™ „,(2) (2), 

'Sj t-^1) • • • ) ■ ■ ■ ’ “7r(fc)l ~ ■ ■ ■ ’ ’ • • • ’ “fc 1 

and for all j G Nfc 

• • • ) ■^ni “7r(l)’ • • ■ ’ ^Tr(k)' — D V"^l) • • ' ) “l ^ • i ^k ' 

hold. (For the notations, we refer to Chapter 8 Section 1.) 

Note that the additional inputs , • • • , of the combinational part of F^^^ 
have to be permutated in the exact same manner as the additional outputs 
. . . , (the assignment of is determined by (5^-^^) since latches are 

permutated and uf and are the output and the input of the same latch. 
Furthermore, note that we assume without loss of generality that the corre- 
spondences between the primary inputs and primary outputs of F^^'i and F^‘^'> 
are known. If these correspondences are unknown as well, then just apply the 
methods discussed in Chapter 8. 

The similarity of the latch correspondence problem to the combinational per- 
mutation equivalence problem is obvious. We need to find a unique and per- 
mufafion independenf descripfion for each lafch. The difference is fhaf each 
lafch has fo be considered as inpuf and as oufpuf of fhe combinafional parf of 
fhe sequential circuif and fhaf fhese inpufs are permufafed in exacfly fhe same 
manner as fhe oufpufs. 
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2. Signatures 

Let us remember the problem of finding a permutation independent correspon- 
denee between the input variables of Boolean funetions of Bn first. For this, 
let f C Bn- In Chapter 8, we have defined a signature as a deseription of an 
input variable of / whieh is independent of any permutation of the (remaining) 
inputs of a Boolean function /. Applying signatures helps solving the com- 
binational permutation equivalence problem by identifying each input variable 
independently of permutation. Any possible correspondence between the input 
variables of two Boolean functions is restricted to a correspondence between 
variables with the same signature. So, if each variable of a Boolean function 
/ has a unique signature, then there is at most one possible correspondence to 
the variables of any other Boolean function. 

This concept can be used to attack the latch correspondence problem as well. 
Here we need to test whether there exists a correspondence between the latches 
of two synchronous sequential circuits such that their combinational logic is 
functionally equivalent under this correspondence. 

Let us characterize this new problem and underline the differences from the 
input correspondence problem. As explained above, we assume that the corre- 
spondence between the primary inputs of the two sequential circuits is known. 
So we have the first piece of additional information. Furthermore, we assume 
that we know the correspondence between the primary outputs yi, ... ,ym of 
the sequential circuits under consideration. These primary outputs represent 
the output functions Ai, . . . , Xm of the sequential circuit that depend on both, 
the primary inputs xi, . . . ,Xn of the sequential circuits and the additional in- 
puts ui, ... ,Uk which are due to the removal of the latches. So, we can use 
the primary outputs of the sequential circuits to compute input signatures for 
the latches. This is done in the exact same manner as for the combinational 
problem. We make some remarks regarding to these input signatures in Sec- 
tion 2.2. However, latches appear not only as inputs of the combinational part of 
the sequential circuit but as outputs as well. So, the most important difference 
between the combinational problem and the sequential problem is that we can 
use output signatures in addition to identify the latches independently of per- 
mutation. For instance, the satisfy count of the Boolean function 6j realized by 
output Vj of the combinational part of the sequential circuit is such information 
on latch Ij. We will go in more details in Section 2.3. 

In Section 2.4, we demonstrate how a unique possible correspondence for the 
latches can be established in practice. For illustration, we use the benchmark 
circuit exd.slif from the benchmark set LGSynth91 [89]. 
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2.1 Solution paradigm 

Let us start with describing the solution paradigm on an example of two se- 
quential circuits, and , with four latch variables 4 ^^] 

and [l\ ^ ^3 ^ Q d > respectively. Let the latches considered as inputs of the 

combinational part of the sequential circuits be denoted by 
and respectively. The corresponding outputs of the com- 
binational blocks are [n«, n«] and [nf \ nf , nf , nf ], respec- 

tively. 

At first, we look at the latches as inputs of the combinational block and compute 
an input signature ^44 fori = 1,2, 3, 4 with respect 

to the primary output functions and A^^^ of F^^'> and F^‘^\ respectively. 
This is done in the exact same manner as described for the combinational 
permutation problem in Chapter 8 . So let us suppose that we have two lists of 
input signatures that contain the same elements, namely 

= [2,1,3,2] 



and 



Ci{F^^\ 



( 2 ) ( 2 ) ^_( 2 ) ^,( 2 ) 
‘1 ) “2 



Uo 






[1, 2,2,3]. 



Now, based on these input signatures we can directly establish that any corre- 
spondence between the latches of and has to identify latch 4 ^^ of F^^) 
with latch 4^^ of F^“^\ and latch 4^^ with latch Thus, a correspondence 
between the latches of F^^'^ and F*^^) has been partially established. There is a 
possible correspondence between the latches of F^^^ and F^^^ for latch equiv- 
alence. However, both latches, 4^^ and 4^^ of F^^^ could correspond to 4 ^^ as 
well as to Zg^^ of F^‘^\ In other words, aliasing occurs between the latches 
and of F^^) and between the latches and of F^“^\ 

Since latches do not just correspond to inputs but to outputs of the combina- 
tional parts of the sequential circuits as well, we have a second possibility to 
distinguish between the latches with aliasing. We can use output signatures, for 
example, the satisfy counts of the corresponding transition functions, in order 
to try to uniquely identify them. In our example, we have to do this for the 
outputs and of F^^\ and for and of F^‘^\ So let us assume 
that 

£o(i"('4[^;444'^]) = [4,5] 



and 
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hold. 

Now we are done, since we are able to establish a unique correspondence 
between the latches and of and the latches 4^ and of as 
well. Latch 4 ^^ of F^^^ has to correspond to latch 4 ^^ of F^"^\ and latch 4 ^^ of 
F^^^ to latch 4 ^^ of . This gives us the only possible unique correspondence 
between the latches. 

Furthermore, if we require that signatures have to be elements of an ordered set, 
we can establish a unique permutation independent order of the latches. In the 
case of our example, that would be the order [4^^ > 4^^ 4^^ ’ 4^^] latches 

of and the order [4^4 4^4 4^4 4^4 latches of F^“^\ 

This example demonstrates that the possibility to consider latches as inputs 
as well as outputs improves our chances to obtain a unique correspondence 
between the latches for a possible latch permutation equivalence of two se- 
quential circuits. Of course, it is not guaranteed that such a unique possible 
correspondence will be obtained. It strongly depends on the input and output 
signatures that we use and on the characteristics of the latches. Thus we focus 
on the following questions in the rest of this chapter. What input and output 
signatures can we use? What special properties of the problem do we need to 
take care of? 

2.2 Input signatures 

Only some modifications need to be made when considering signatures for 
input variables as introduced in Chapter 8 for use in the latch correspondence 
problem. 

Let us consider F G Fn,m,k again. It has m primary outputs, [yi, . . . , i/m]- We 
assumed that we can uniquely identify these primary outputs. The correspond- 
ing Boolean functions Ai, . . . , Xm depend on the primary inputs xi, . . . ,XnOf 
the sequential circuit and on the additional inputs ui, . . . ,Uk of the combina- 
tional part of the sequential circuit which are due to the removal of the latches. 
So we can use them step by step, starting with yi up to ym, to compute input 
signatures for m, . . . , 

Let us describe this on an example. Consider F with two input variables, x\ 
and X2, two outputs, y\ and y2, and four latches, I2, 13, and Then, the two 
outputs yi and 7/2 represent Boolean functions, namely Ai and A2, that depend 
on the set of input variables [xi , X2 , rii , U2 , U3 , ^4] . Now, let us use the cofactor 
satisfy count signature function in order to try to separate ui,U2,us, and U4. In 
a first step, we compute this signature using yi. Note that we must not use one 
of the outputs vi,V2, V3, or V4 instead of yi, since these outputs are not uniquely 
identified as yef. Lef us assume we obfain fhe parfifion [{ui, U3}, tt4, U2] by 
applying fhe cofacfor safisfy counf signafure funcfion wifh respecf fo yi. This 
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means that we can uniquely identify the input variables U2 and and thus the 
latches I2 and 1 ^. Furthermore, we obtain a unique partial order of the latches: 
[{^1) ^3}) ^4) ^2]- Now, we can use output function y2 in a second step to try to 
distinguish between the latch input variables ui and us as well. 

2.3 Output signatures 

Similar to the input signatures, we can use output signatures to identify the 
outputs vi, ... ,Vk of the combinational part of the sequential circuit. The 
identification of these outputs implies the identification of the latches as well. 
Such a latch output signature function assigns a value, a vector of values, or a 
function, which has to be an element of an ordered set, to each output Vj. It 
provides special information on the corresponding latch Ij considered as output 
of the combinational part of the sequential circuit. This information has to be 
independent of any permutation of the latches of F, in general. (Remember 
that a latch considered as an output of the combinational block usually depends 
not only on the primary inputs of the sequential circuit, but also on the latches 
considered as inputs of the combinational block.) Actually, a latch output sig- 
nature has to be independent of the permutation of those latch input variables 
only which have not been uniquely identified yet. If a latch is uniquely identified 
during signafure compufafion, fhis informafion can be used in fhe idenfificafion 
process of fhe remaining lafches. This facf is a new aspecf compared fo conven- 
fional permufafion independenf Boolean comparison as described in Chapter 8 . 
We will go info defails in Section 2 . 3 . 2 . 

Now lef us develop lafch oufpuf signafures. For fhis, lef us consider fhe example 
circuif F G Fn,m,k wifh fwo inpuf variables, x\ and X2, two outputs, y\ and 
y2, and four latches, l\, I2, 13, and I4, again. Suppose, we could not distinguish 
between the latches li and I3 considering them as input variables u\ and U3. 
Thus, we still have the partial order of the latches, [{fi, (3}, I4, 12]. Now, let us 
consider these latches as outputs of the combinational block of F, v\ and V3. In 
general, these outputs represent the transition functions and 63 that depend 
on all primary input variables and on the latches considered as input variables. 



Now, we can apply the following kinds of latch output signatures to i 5 i and 63. 

2.3.1 Simple output signatures 

All the output signature functions introduced in Chapter 8 Section 3.2 can 
directly be applied as latch output signatures. The most important ones are 



the satisfy count 1 6 i 
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■ the vector of the cofactor satisfy count signatures of the input variables of 
6i sorted by the size of the satisfy counts, 

sort . . . , . . . , |(5i)„,=il) , 

■ the breakup signature with respect to function 6i and origin o = [0, 0, . . . , 0] , 

These signature functions satisfy all necessary properties since they are output 
signatures for 6i (i.e., for Vi) which are independent of the permutation of the 
latch input variables, ui,U 2 ,u^, and U 4 as well. 

If these simple output signatures do not break the tie, we have to apply some 
stronger latch output signatures. 

2.3.2 Function signatures for latch outputs 

Here we use the fact that we have already uniquely identified the primary input 
variables of the sequential circuit and that some of the latches might have been 
identified already as well. So, any subfunclion of fhe fransifion funclion 5i fhaf is 
independenf of fhe lafch inpuf variables which are nol idenlified already is a lafch 
oufpuf signafure. There are several possibilities for Ibis kind of subfunclion. 
Lei us consider our example F wilh fhe Iwo primary inpul variables, x\ and 
X 2 , and Ihe four lalch variables considered as inpuls, ui,U 2 ,us, and again. 
Subfunctions of Ihe primary oulpul functions (5i and tis which only depend on 
xi and X 2 are, for example, 

,ii2,'U3,W4] = (l,l,l,l) ’ 

Its, lt4] = (0, 0,0,0) ’ 

(Vu4 : (Vu3 : (Vu2 : (Vui : 5*)))), 

and 

(3u4 : (3u 3 : (3^2 : (3ui : 5*)))) 

for 1 = 1 and i = 3. These function oulpul signalures conlain special in- 
formation aboul 6i which is independenl of Ihe permulalion of Ihe lalch inpul 
variables of F. 

However, as already indicated above, we can choose subfunctions of tij, which 
also depend on lalch inpul variables of lalches already identified. We can use 
exaclly Ihe same idea as for conslrucling Ihe function signalures for inpul vari- 
ables (see Chapter 8 on page 181). For each lalch which is uniquely identified 
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at this point, the corresponding latch input variable can be uniquely identified as 
well. In our example, this is the case for the latches I2 and 1 ^. So, subfunctions 
of ( 5 i and 63 which depend on the primary inputs x\ and X2 and on the latch 
input variables U2 and U4 are latch output signatures — with one minor re- 
striction: we need to reorder the latch input variables U2 and U4 independently 
of permutation in these subfunctions. Therefore, let us use the order of the 
latches established by previously used signatures. In the case of our example, 
the permutation which reorders the input variables of such a subfunction would 
be {x\,X2,Ui, U2) (see the latch order of our example in the previous section). 
Such a reordered subfunction of < 5 i and 53 has all the properties to be a latch 
output signature and we can again try to distinguish between < 5 i and ^3. This 
process can be iterated as long as we can uniquely identify at least one more 
latch. That is why we call this extended function signature the iterating function 
signature. Experiments have shown that this is a very powerful signature. 

2.3.3 Canonical order signature 

There is another strong latch output signature. We call it the canonical order 
signature. For that we use the methods introduced to handle the combinational 
permutation equivalence problem. Remember that these methods can be used to 
look for a canonical and permutation independent ordering of the input variables 
of a Boolean function, up to partial and hierarchical symmetries. 

Again, let us consider the Boolean function Si which is represented by the output 
Vi of the combinational block of F. On the input variables of this function, the 
methods used in Chapter 8 can be applied in order to look for a canonical 
(up to partial and hierarchical symmetries) permutation independent variable 
ordering as well. Now, assume that such a canonical permutation independent 
order exists and suppose that vr G Ver{Nn+k) is a permutation of the latch 
input variables of / which constructs this canonical order. Then the canonical 
order signature is the function 

ecan r ^ _ 

— Of O 7T . 

This function is independent of the permutation of the input variables ui, ... ,Uk 
of Si. Thus it is a latch output signature. Note that finding this canonical 
ordering can be restricted to the latch input variables because the primary input 
variables xi, ... ,Xn of Si are uniquely identified by assumpfion. 

2.4 An example 

In fhis secfion, we illusfrale our solufion paradigm wifh benchmark exd.slif 
from fhe LGSynfh 91 benchmark sef [ 89 ]. We are nol going fo use all signafure 
funclions here. However, fhe general paradigm of finding a unique permufafion 
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independent order of the latch variables, as described in the previous sections, 
will become clear. 

Benchmark ex4.slif is the description of a sequential circuit with six primary in- 
put variables, xq, xi, . . . ,X 5 , nine primary outputs, y20.14, y20.15, . . . ,y20.22, 
and 14 latches. Let us call these latches the order of their appear- 

ance in the benchmark description. For more details please see the benchmark 
description in the LGSynth91 benchmark set [89]. 

We begin with computing a simple output signature. Let us apply the satisfy 
count I nil of the latch variable li considered as output Vi of the combinational 
block of the sequential circuit. Here, we obtain the following characterization 
of the latches: 



|wi|=0, |w2|= 288, 

jwej = 64, \v7\ = 128, 

|wii| = 128, |vi2| = 192, 



IwsI = 128, |V4| = 128, 

|W8| = 128, |V9| = 96, 

jwisl = 64, jvi4| = 128. 



I Vs I = 192, 
|wio| = 128, 



By these signatures we obtain a partial, permutation independent order of the 
latches, namely 




group 1 group 2 group 3 



That is, there are three aliasing groups of latches, one of size 7 and two of size 2, 
for which we have to do further computations. We now consider these latches 
as input variables, Ui, of the combinational block and use an input signature to 
try to distinguish between them. For doing that, we take one primary output 
function, y20.i, after the other and compute the selected input signature with 
respect to this output function. Let us take the cofactor satisfy count signature 
as input signature and start with primary output function y20.14. In this first 
iteration, we obtain the following results for the three aliasing groups: 

aliasing group 1 



I(2/20.14)„^=iI=256 
I(2/20.14)„^3=J= 256, 
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aliasing group 2 

I(2/20.14)„3^J=0 

I(2/20.14)„^^J=0 

l(y20.14)„^^J=0 

l(y20.14)„3^J=256 

l(y20.14)„^3^J=0 

I(2/20.14)„^^^J=0 

I(2/20.14)„^3^J= 256, 

and 

aliasing group 3 

I(2/20.14)„3^J = 128 
l(y20.14)„^^^J = 128. 

We see that the latches of aliasing group 1 and group 3 cannot be distinguished 
using the cofactor satisfy count signature with respect to primary output function 
y20.14. However, we can split up group 2 in the subgroups {^ 3 , Z 4 , Ij, ho, Zn} 
and {/§, Z 14 }. So, we obtain a finer partial order for the latches, 

[Zl, {^6,^13}, Ig, {Z3, Z4, Z7, Zio, Zll}, {Z8,Zl4}, {Z5 ,Zi2}, Z2]. 

At this point we have four aliasing groups of latch variables, namely three of 
size 2 and one of size 5. Now, we can continue with computing the cofactor sat- 
isfy count signatures with respect to primary output function y20. 15, analyzing 
the new situation with respect to those signatures (Is there a finer partition of 
the latches?), and so on for all primary outputs — until there is a unique order 
of the latches. However, even after using all the primary output variables, we 
still have just a partial order of the latches, 

[Zl, {Z6,Zi3}, Ig, {Z4,Zii}, h, Z3, Zio, Is, Zi4, {Z5,Zi2}, Z2]. 

There are three aliasing groups of size 2. So, let us try and see how the more 
complex output signatures work. At first, we will use a vector of function 
signatures. This works as follows. We consider the latch variables k of the 
three aliasing groups as outputs Vi of the combinational block of circuit ex4.slif 
Then we compute subfunctions of the transition function 6i which is represented 
by such an output Vi, which are independent of the latch input variables. For 
the purpose of this example, let us take the following pair of two functions: 
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Unfortunately, when applying this signature there is no difference between the 
function signatures of and ^13 , 14 and lu, and and I12, respectively. 
However, applying the canonical order signature helps to distinguish between 
latch and ^n, and we obtain the partial order 

[^1, {^6)^13}; I97 hi, h, h, h, ho, h, hi, {^55^12}, h] 

for the latches. 

Now, let us try the iterating function signature next. Here, we use the same 
functions as for the function signature described above, but with one important 
difference. The computed subfunctions of an output function 5 i are not inde- 
pendent of all latch input variables, but only of those which are still in aliasing 
groups. A vector of such subfunctions of latch variable li of one of our aliasing 
groups is, for example, 

(^(’^*) [«5, «g, 1112, «13] = (1, 1,1,1)’ “12, M13] = (0, 0,0,0)) ‘ 

We need to reorder the uniquely identified latch input variables in the restricted 
functions in order to obtain an iterating function signature. The new order is the 
permutation independent and unique suborder which is given by the established 
order of our latch variables 

{Ui, Ug, Uii, U4, U7, U3, Uio, Its, Uu, U2). 

We finally can esfablish a unique permufafion independenf order of all lafch 
variables wifh fhe help of Ibis oufpuf signafure: 

[^1, h, hs, h, hi, h, h, h, ho, h, hi, h, h2, h]- 




Friend, you have read enough. If you desire still more, then be the poem 
yourself, and all it stands for. — Angelas Silesius 
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